Two years ago Scott McNealy, the chief executive officer of Sun Microsystems, famously told a group of reporters and analysts gathered for the introduction of a new data-sharing technology from his company, "You have zero privacy anyway - get over it."
Today, a group of technology companies led by International Business Machines Corp. seems to have built a piece of infrastructure guaranteed to make Mr. McNealy's taunt come true. The technology companies and their partners - which include First Union National Bank, HSBC-USA, Bank of Nova Scotia, and Charles Schwab Corp. - have introduced an Internet standard that gives companies a common platform for exchanging information about customers. Companies that join the so-called Customer Profile Exchange Network will be able to swap customer names, addresses, phone numbers, and ages, plus harder-to-track data like transaction information and purchases.
The very thought is enough to send privacy activists through the roof, but the companies that have devised the standard argue that their efforts could enhance online privacy, since consumers who choose to opt-out of a company's data-sharing program could have their preferences broadly communicated. The exchange is now in the experimentation and demonstration phase, and its organizers have not said when they expect to have it fully up and running. Copies of the specification are available at the consortium's Web site, www.cpexchange.org.
The more than 70 companies associated with CPExchange, which was started by the e-business company Vignette Corp., are an oddball assortment of technology firms (Hewlett-Packard Co., Intuit Inc., Lucent Technologies), dot-coms, and others. Barnesandnoble.com, Cablevision Systems, and PricewaterhouseCoopers are among the members, as are companies called PrivacyRight and PrivaSeek.
While the three banks in CPExchange confirmed their participation, two of the three would not comment on the venture directly. First Union released a statement in response to questions about its role, stating that the bank "is committed to protecting the privacy and security of customer information." First Union said it joined the project "to stay informed of new technologies and how those technologies will benefit our customers," and said it had "made no corporate decision to use this technology." First Union added, "Our top priority is clearly serving our customers, and we would not use technology that would violate the privacy or security of our customer information."
Indeed, banks have good reason to be sensitive about being connected with CPExchange, which has drawn concern from many corners. On Dec. 5, Sen. Richard C. Shelby, R-Ala., sent a letter to the Federal Trade Commission asking for a review of the CPExchange standard and its impact on consumer privacy; Mr. Shelby referenced a Washington Post article that publicized First Union's participation in CPExchange.
Unlike Europe, where strict privacy laws would make an endeavor like CPExchange out of the question, there are few U.S. laws that limit customer information-sharing among companies. But banks are more regulated that most of the other companies participating in the exchange, so certain regulations - such as the privacy rules of the Gramm-Leach-Bliley law - could limit the amount of information banks could send across CPExchange.
The Gramm-Leach-Bliley Act of 1999 for the first time established protocols to prohibit institutions from sharing customer information with nonaffiliated third parties. The law requires financial institutions - including banks, thrifts, credit unions, securities firms, and insurance companies - to inform customers about their policies on data-sharing by July 1 of this year. If the institution shares customer information outside of the "corporate family" (i.e. affiliates and vendors), it must give customers the opportunity to opt out of having their data shared. If the customer does not explicitly tell the institution not to share their information, then the institution can sell or share the data.
If a bank chooses to share a customer's information with a nonaffiliated third party that is either a service provider (performing services or functions on behalf of the institution) or a joint marketer (another financial institution who has entered into a contract to jointly market products and services), the bank still has to notify the customer that the information is being shared.
The organizers of CPExchange say their efforts could actually facilitate some of the privacy provisions of Gramm-Leach-Bliley by making it easier for consumers to take some control over what marketers collect. The system is being designed so that some information can be labeled "private," and the privacy label will stick even as the information is passed along. Potentially, this could make it easier for consumers to choose what information their banks can share with which third parties.
It is currently difficult for companies to exchange customer data - and the private or public status of it - because of the challenges in passing information across disparate systems. Companies have different ways of representing and storing customer data, and in order to allow their systems to communicate with one another, they have to speak the same language.
This problem has protected customer privacy by making it harder for business to mine and trade complete records, but the idea behind CPExchange, which was formed in November 1999, was to develop a common technology standard by creating an application-independent description of customer information based on Extensible Markup Language (XML), which is an open Internet standard.
For businesses, the benefits of such a standard seem clear. The more easily customer information is exchanged, the better a company can market to its customers and provide tailored service, which popular wisdom states will lead to bigger sales.
But what will happen to customer privacy if CPExchange gets built? With all this information being exchanged, how does the customer know where all of this data is going and who is looking at it?
The technologists behind CPExchange say they know better than to let anything go wrong. As one of them writes in a message posting on the venture's Web site, "The intended misuse of personal data, especially in the times of the Internet, will bring any business operation to a screaming halt."
Eric Schmitt, an analyst with Forrester Research, said the exchange will be able to pass information among companies at a "very granular level." A feature of the exchange would be the ability to separate out pieces of information, potentially for inclusion or exclusion from a customer profile.
"Because it is standardized, it is also more likely that a third-party will be able to come in and audit it," Mr. Schmitt said. "It is easier to monitor and more transparent."
From Our Archive: