Privacy plan won't stop the snooping

June 26, 2000|By Mike Himowitz

Whenever the cash register at my supermarket is printing my receipt at the end of the checkout line, a little gadget attached to it spits out a coupon. Usually it's good for 50 cents off something I've just bought, or a discount on a similar item.

This is an example of good marketing. The supermarket knows who I am - I use a credit card and have shopped there for years. With its computer tracking what I buy, it tailors its coupons to my buying habits and offers me an inducement to return. So far, so good.

But suppose your supermarket went a step further and hired an invisible man to follow you through the aisles, taking notes each time you picked up a can of soup, lingered over a hunk of Gorgonzola, or checked out the hemorrhoid ointments. Kind of creepy, isn't it? And suppose your supermarket decided to sell that information to anybody who was willing to pay for it.

Now suppose another invisible man followed you through the aisles at the hardware depot down the street. Looking at storm door hardware? He makes a note. A day later you get three phone calls from guys selling storm doors. Even creepier, right?

This is exactly what can happen when you surf the Web, and people are finally getting fed up with it. Politicians - suddenly more worried about losing votes from angry consumers than corralling con- tributions from the privacy peddlers - are reluctantly talking about legislation to regulate this snooping.

At least they were until last week, when Microsoft and 30 other companies endorsed a plan that would allow your computer to negotiate with each Web site just how much personal information you're willing to give up. Known as the Platform for Privacy Preferences (P3P), this scheme has been in development for three years under the auspices of the World Wide Web Consortium, the international group that oversees development of the Web.

Under current practice, Web sites are supposed to post privacy policies explaining what they do with the information they collect about you. That information is, of course, recorded in their own databases and frequently stored on your hard drive in the form of small data files called "cookies" that a Web site can examine every time you return to its territory. There's nothing to prohibit Web sites from doing anything they want with the information, they just have to tell you about it. Of course, this assumes that you can find the privacy policy in the first place and then translate its lawyerspeak into English.

P3P technology would encode these policies in a computer language that a compliant Web browser would download automatically when you first log onto a site. The same browser would allow you to set up preferences for the information you're willing to give out - name, address, phone number, credit card information and so on. It would also tell the site how much of that information you were willing to allow it to sell to third parties.

If your preferences match the Web site's privacy policy, you won't notice the invisible handshake. If there's a conflict, your browser can issue a warning and you can take your business elsewhere.

On the surface this is a reasonable solution. It certainly appeals to politicians and free marketers who have been arguing - against all evidence - that the industry can regulate itself without government interference. The Clinton administration endorsed the plan wholeheartedly and promised to make government Web sites P3P-compliant.

That alone should have been enough to ring a warning bell, because the Clinton administration is no friend of privacy rights.

It has fought and delayed every effort to expand the use of secure encryption by ordinary citizens who want to keep their e-mail and other Internet information private. And until the Federal Trade Commission bowed to public pressure this month, it had shown no sign of being willing to regulate the snoops who follow us around the Web.

Even as the White House was endorsing P3P, word leaked out that its Office of National Drug Control Policy was recording information about everyone who visited its Web site. Moreover, the company it hired to do the job was none other than DoubleClick, the most notorious collector and aggregator of personal information on the Web.

Nobody thinks P3P is a bad idea per se. But privacy advocates, including the Electronic Privacy Information Center, say it does nothing to limit the collection or peddling of personal information - or to punish those who violate their own privacy policies. Moreover, it actually tilts the playing field in favor of the snoops, because it assumes from the outset that you're willing to give up some privacy. The only question becomes how much.

Most computer users rarely change their Web browsers' settings - or even know how to do it. So the real battle may be over before it begins, particularly if the Web advertising industry gets Microsoft or PC makers to ship computers with default privacy settings that automatically give up the maximum amount of information about you and your Web surfing habits.

I'm not a privacy fanatic, nor am I a great believer in government regulation. I understand that advertisers want to know about my habits so they can expose me to pitches that match my interests. That serves us both. But there's a lot of potential for abuse, and P3P does nothing to deal with the problem other than alert you that somebody is about to pick your pocket.

This is something you should care about. For information about P3P from its source, visit the World Wide Web Consortium at For a critical report on the project, visit the Electronic Privacy Information Center at

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.