By Hiawatha Bray, Globe Staff, 02/11/99
No, you're not being paranoid. You are being watched.
Everytime you log onto the Internet, you're probably helping to build a dossier on yourself.
The most sophisticated shopping sites on the Web keep track of everything you buy, and analyze the information in an effort to sell you still more goodies.
Other sites entice you with come-ons like free electronic mail accounts, in exchange for personal information like your name and telephone number. Still other sites don't ask you for anything, but simply keep track of your electronic wanderings, using the information to create a personal
profile that is a marketer's dream.
Scary? Some people think so. A survey last year by Business Week magazine found that more than three-quarters of those who shop on the Internet say they would buy even more if there were better privacy safeguards. And among those who didn't shop on-line, privacy fears were the chief reason they stay away.
The popular computer network America Online created a national furor last year when it released information about one of its customers to the US Navy. Timothy McVeigh had posted, anonymously, information on-line that suggested he was gay. The Navy persuaded AOL to violate its own privacy policy and reveal McVeigh's identity, whereupon he was discharged from the service.
McVeigh was subsequently reinstated after a federal court challenge, but the incident served as a startling illustration of how much personal information is available on-line.
What kind of information can Web-based businesses collect and how do they do it? The simplest method, and perhaps the most misunderstood, is the ''cookie.'' A cookie is a small chunk of data that is sent by a Web site to a visitor's computer. The cookie can be used to store data that the visitor will need whenever he returns to the site. For example, a visitor to the New York Times Web site must get a password to sign in. But if he agrees, he can also get a cookie that will ''remember'' his password. The next time he visits the site, the Times computer will check his browser. If the cookie is there, the visitor is instantly logged in, without having to retype the password.
Internet advertisers love cookies, because they make it possible to control exactly which ads are displayed on a person's computer. This is the business of companies like New York-based DoubleClick, which attaches cookies to ads in order to create profiles of millions of Internet users.
Here's how it works: Many commercial Web sites feature banner ads linked to the DoubleClick network. When someone visits one of these sites, his or her computer gets a cookie that notes the particular ad being displayed. The cookie continues to track the user, noting every visit to a site featuring DoubleClick ads. The cookie tracks which ads the user clicks on for more information, and which ads he or she ignores.
Little by little, DoubleClick builds up a profile of the Web surfer, which can be used to send ads specifically tailored to his or her tastes.
As a result, two different people visiting the same Web page may see entirely different ads, depending on the content of their DoubleClick cookies.
To some, it might sound a like Web users are being followed by some virtual detective, but DoubleClick general manager Christopher Saridakis says that cookies are not an invasion of privacy. ''It really doesn't contain any information about the individual,'' he says.
DoubleClick doesn't know who you are or where you live. It just knows that somewhere out there, Person X, likes football, hates basketball and is interested in sport-utility vehicles. Besides, DoubleClick allows consumers who don't want to be tracked to opt out of the system. On request, they'll send out a cookie that blocks all other DoubleClick cookies.
In general, cookies pose little threat to your privacy. A cookie can only be read by the Web site that installed it in the first place. Even if you visit a fly-by-night Web site run by hostile hackers, they can't learn anything about you by accessing your cookies. Indeed, most cookies only contain a set of numbers that will be meaningless to any other computer but the one that created the cookie.
Still, for those who insist on avoiding them, most standard Web browsers can be set to warn the user of incoming cookies so that the user can opt to refuse them. Unfortunately, so many sites install cookies that users will be bombarded with dozens of cookie requests. To avoid this, some people use software tools with names like InterMute and Internet Junkbuster, that allow consumers to block out nearly all cookies.
But there's a price to pay for life without cookies - some Web sites won't let you in without one.
Nevertheless, Evan Hendricks, editor of Privacy Times, a newletter based in Washington, D.C., refuses all cookies as a matter of principle. ''I don't see any benefit to me in allowing them to place a cookie,'' he says. ''The benefit's all to them.''
Hendricks acknowledges he's never heard of anyone suffering a loss of privacy because of cookies, but he fears that could change if companies find ways to link your cookie to a file of personal information about you.
It's already happening at hundreds of Web sites, where consumers provide detailed personal information. Such information can be combined with cookies to create a personalized customer profile - or to reveal sensitive information to complete strangers.
There are some advantages to personalization, however. An example of it at its best can be found at eToys, a popular toy retailing site. Toy shoppers can create a personal account at the site that will keep a permanent record of everything they have ever purchased there. The site also allows them to create a wish list of toys they might want to buy in the future. It even has a calendar that can send e-mail reminders of a child's birthday.
Other sites, like the popular bookseller Amazon.com, take personalization even further. The Amazon site analyzes the books a customer buys, and directs the customer to other titles that might also be of interest. ''Their business model is based on getting very detailed information on their customers and what they do,'' says Hendricks.
And that's what scares him.
eToys vows never to sell the information it collects about its customers. Amazon reserves the right to do so, but will keep customer data private if the customer submits a request via e-mail. But many other Web retailers make no such pledges. Under existing law, they're free to sell any information about you, to anyone willing to buy it.
The same goes for the many Web sites that don't sell anything, but still collect lots of personal data on visitors. Many sites offer free Web pages and free e-mail service. But these services aren't really free. They're provided in exchange for personal information that can be used to build up a database of potential customers. And consumers have no control over what happens to this data.
Perhaps the most aggressive effort yet to compile information on computer users was announced on Feb. 8. A California firm called Free-PC.com is giving away computer systems to the first 10,000 customers who sign up for the company's free Internet access service.
But there's a catch. Customers must provide lots of personal information - name, address, age, marital status and so on. This information will be used to beam carefully targeted advertisements to each Free-PC.com user. In addition, the Free-PC.com system tracks every site the user visits, adding this data to the person's marketing profile. Users who frequently visit personal-finance sites might see frequent ads for mutual funds or banks.
Free-PC officials say they'll sell their data collection to other companies, but will not include information that can be used to identify individuals, like names and addresses.
A survey taken last year by the Federal Trade Commission found that only 14 percent of the 1,400 commercial Web sites surveyed even had an official privacy policy to inform consumers about how their personal data would be used. The Clinton administration has warned Web-based businesses that unless they move aggressively to provide better privacy guarantees, new federal laws are on the way.
Such laws may be inevitable because of events overseas. The 15 nations of the European Union have imposed very strict privacy regulations on firms doing business inside its borders. For instance, a European firm can't sell personal information about customers to a third party without getting explicit permission from the customer. Now the EU is threatening to limit the ability of American companies, including Internet companies, to do business in Europe unless the United States adopts equally tough privacy rules.
American companies are scrambling to stave off regulation by adopting voluntary privacy guarantees. TRUSTe, a nonprofit organization in Palo Alto, Calif., certifies companies that pledge to protect the privacy of Internet visitors. As of December 1997, only 42 firms had signed up for TRUSTe certification. After warnings from the federal government, the number jumped tenfold last year, to 427 firms.
Susan Scott, TRUSTe's executive director, says that reputable Web sites are becoming much less willing to share information about their customers. ''I think that the sites that are serious about this have realized, hey, this is something we can't be cavalier about,'' she says.
TRUSTe doesn't forbid members from sharing the information they collect. Instead, the organization requires that certified companies clearly inform visitors about how the firm will use any information it collects. The idea is not to limit companies' use of data, but to provide information so that consumers can make informed decisions about whether to provide data.
It is unclear whether a voluntary program like TRUSTe will satisfy the concerns of European regulators, who favor rigid legal protections of consumer privacy. Besides, in the case of Timothy McVeigh, AOL violated its own rules about releasing personal information. Some privacy advocates think that only federal laws will prevent such lapses.
But Scott is convinced that as consumers become better informed, businesses will have all the incentive they need to improve their protection of personal data.
''If you're going to violate the trust of your consumers,'' Scott says, ''I don't think you're going to be in business a very long time.''