Online Privacy Inside and Out

While online privacy is one of the thorniest issues in cyberspace today, inaction and rhetoric have promoted a groundswell of fear and distrust in the average consumer.

In many cases, Web shoppers believe that e-tailers take it upon themselves to collect and share personal information without being accountable for its use. If steps are not taken to quell these consumer jitters, confidence in e-commerce may be irreparably damaged, and the Federal Trade Commission (FTC) could heed the advice of privacy advocates by stepping in and more aggressively regulating the industry.

Regardless of whether the privacy problem is resolved through self-regulation or the imposition of government controls, the end result will radically affect e-commerce over the next decade — and perhaps beyond. In the following report, the E-Commerce Times examines some key aspects of the issue and explores the viewpoints of important players on both sides of the line.

The DoubleClick Brouhaha

Last year, when Internet advertising agency DoubleClick announced plans to purchase Abacus Direct Corp., a company that provides information to the direct marketing industry, few people would have predicted the controversy that was to follow.

DoubleClick had grown phenomenally since 1995, increasing revenues from 9.3 million to $258.3 million (US$) by 1999. At the heart of the company’s success was a technology known as DART, which tracks the behavior of browsers on the Internet in order to serve advertising targeted to each browser’s surfing patterns.

While privacy advocates expressed concerns, most tolerated the practice because the browsers were not linked to the identities of the people who were using them.

Anonymity Lost

DoubleClick then changed its strategy to include linking the anonymous information to Abacus’ database of names, addresses and telephone numbers. While the company said this linkage would only happen with a user’s permission, many critics claimed that such permission was gained surreptitiously — and that users were unaware that their personal information was being tracked.

Soon, a series of high-profile legal actions consumed DoubleClick from nearly every direction, including investigations by the FTC and the State of New York. In another notable case, the State of Michigan issued a notice of intended action to sue DoubleClick for violations of its Consumer Protection Act.

Cookies Used for Cyber-Spying

Further fueling the controversy, Michigan Attorney General Jennifer Granholm likened DoubleClick’s actions to “spying and wiretapping,” and gave the company 10 days to abandon its practice of tracking Net surfing by sending cookies to its consumers’ computers without their explicit permission.

Michigan’s position is that only the primary Web site that a user visits can place a cookie without permission — and even then, the user must have a reasonable expectation that such a cookie might be placed.

The state maintains that companies like DoubleClick, with which consumers have no direct contact, cannot place cookies without permission. Further, it asserts, DoubleClick’s claim that the practice benefits consumers — and that the company will never use the sensitive data that it collects — is irrelevant under the Michigan interpretation of its Consumer Protection Act.

If Michigan prevails, the decision could spark a nationwide movement that would send DoubleClick and DART to cyber-oblivion.

Wiretap Law Examined

In order to separate rhetoric from reality, the E-Commerce Times asked Professor G. Robert Blakey, draftsman of the federal wiretapping statute and noted expert on wiretapping, whether the practice of connecting anonymous information about where a browser surfs on the Net with a user’s personal identity would indeed constitute wiretapping.

“The answer can be understood by making an analogy to searching the mail,” Blakey said. “Looking at the outside of an envelope — who sent the letter and where it’s going — is called a ‘mail cover.’ That is not a ‘search and seizure’ under the Fourth Amendment, and so does not require a warrant.”

“Looking inside of the envelope at its contents,” Blakey continued, “is a ‘search and seizure’ because it is an interception of an ‘electronic communication’ under the statute. Looking at the contents of an electronic communication is a wiretap under the 1968 statute, as amended in 1986. Looking at the sender and receiver is not.”

For example, if an advertising company were to track the fact that “Computer A” had gone to certain Web sites and clicked on certain ads, that would be similar to looking at a “mail cover,” and would not be wiretapping. Tying the identity of the person using “Computer A” to its surfing record would not constitute wiretapping either — so long as the individual’s identity was obtained without intercepting an electronic communication.

Blakey said that if an advertising company, or indeed, any third party, “looks into the envelope” without consent — viewing e-mail contents, credit card entries or purchase orders — then the third party’s actions would constitute wiretapping.

However, if either of the original parties to a communication were to unilaterally disclose its contents — for example, if an e-tailer were to reveal its customers’ identities and purchase records without their permission — there would be no wiretap, even though there could be invasion of privacy under state law.