If you need a dramatic demonstration of why there is no substitute for personal vigilance and 'techno. empowerment' to safeguard essentials of your privacy as you use of the internet, take in this July 24 item from IDG News Service (and online courtesy of PC World Communications): "Full details of hundreds of credit cards are out in the open. At the time of this writing Monday, all customer orders of a U.S.-based electronic commerce site, with pornography as the best-selling item, were openly available online without any protection. . . . The numbers and expiration dates of the cards can be viewed by anyone. Order details also include the customers' names, mailing addresses, and the items ordered. . . . The e-commerce Web site is no longer operational . . . It is possible that many of the credit cards are still valid. "

Not quite as dramatic, but also relevant is the following item from the August 2nd edition of SANS Institute NewsBites: "28 and 27 July 2000 . . . The Federal Trade Commission (FTC) approved a plan that would allow online advertisers to self-regulate consumer profiling data collection. . . . Under the guidelines, consumers would be notified that they are being profiled, and have the option to opt out of data collection. The companies would also agree not to use sensitive personally identifiable information. Editor's (Murray) Note: Privacy advocates considered the plan a "sell-
out" on the part of the government."

Both news items just cited can be used in an argument to support the conclusion that vigilant citizens armed with products available in the marketplace form the only route that will be effective in regaining what we have now decisively lost in the area of privacy on the internet.

WHY ENHANCED PERSONAL VIGILANCE IN ONLINE PURCHASING IS NEEDED

The first item allows one to emphasize the need for you to question what your merchant is doing with credit card and other personal information you provide in making a purchase, including where the information is stored.

If you made an online purchase, chances are a persistent cookie has been placed on your computer in the process, and (depending on who placed it there) this can become a basis for continued surveillance of your web surfing. [ To get a dramatic demonstration of how this process works go to http://privacy.net/track/ .] This news item helps to reinforce the point that persistent cookies placed on personal computers by e-marketers now make cookie management essential for millions of consumers. (The argument that supports this conclusion is given below.)

The second item also implies that the need for aggressive management of cookies will become more evident in the future. It is further evidence of enormous and powerful business interest in profiling of web surfing behaviour for marketing purposes. This profiling activity is not about to go away, yet there are some cold facts that surround it, and which need to be kept in mind when the agreement reported in the second news item is considered.

(1) Opting out is now offered by several firms; and for a number of them you almost need a magnifying glass and significant patience at their site to find the button on which to click to get to the opt-out function. A neat trick is to bury this link in a mass of fine-printed legalese. How many firms will use such tricks and proclaim on a stack of bibles that they have provided consumers with an opt-out option?

(2) "Opt out" means that if for any reason you do not see the relevant opt-out notice at a site or you are too tired or impatient to get to the right opt-out button, you are automatically assumed to have agreedto what is going to be done to you.

(3) The agreement of companies "not to use personal data" (cited in the second news item) calls for a definition of "use". Even more important, it needs a supporting clarification of what happens when a company goes bankrupt or is taken over by another company with a different policy or operating in a different jurisdiction such as another country.

TWO DIFFERENT PRICES YOU PAY FOR ONLINE PURCHASES

If ALL the profilers had were files of web surfing tracks, the marketing value would be highly questionable. The records in those files MUST be married to 'demographic' and/or purchasing information provided by consumers, to allow meaningful targeting to happen based on the profiling of web surfers' tracks.

You can often avoid providing personal information when you are not purchasing; but it almost impossible to do that when you are purchasing. Hence purchasing records are probably a major source of useful profiling.

Therefore, as you purchase online and help feed the information-hungry e-marketers with your personal demographics, it is advisable to identify TWO prices you often pay with a purchase:
          (1) the cash price
          (2) the privacy-loss price.

THE NEW ELEMENT IN MERCHANTS' ACCUMULATION OF CLIENT INFORMATION

Merchants have been keeping client information since long before the internet came along; but the internet brings two new developments everyone needs to know about in an enlightened citizenry:
(1) it greatly raises the probability that your personal information will fall into the hands of various third parties,
(2) NEW business entities have emerged with the sole or dominant purpose of watching what you do online and helping merchants to link that information to personal information about you, so as to create meaningful profiles that help marketing campaigns.

Yes, the marketers have NO intent to build personal dossiers for the purposes of blackmail, extortion, or other forms of personalized creation of victims. Rather the information is quickly aggregated into demographic and life-style groupings that help marketers and merchants target sales promotions to the groups most likely to respond positively.

DON'T BE FOOLED BY THE CONSTANT REFERENCE TO HOW YOUR INFORMATION IS ONLY RELEASED IN "AGGREGATED FORM"

But the data MUST be kept in dossier-level files in order that information up-dating, re-aggregations and various forms of market-related analyses requiring new cross-tabulations can go on.

Almost anyone from the other side of the Atlantic Ocean can remind you that history already contains examples of wicked uses of dossier-level files.

A dossier-level file is one where every record has an identification code that has been assigned to a specific individual entity, and where every deemed behaviour of that entity may be used to create a new datum that is added attached to the file's records that are clearly linked to that entity by virtue of the identification code.

Yes, when all the file holds are web-surfing tracks, the "individual entity" is most likely to be an IP address. This leaves you as an unknown person if that is your address. But the chances are high that there are also files where that same IP address is associated with an email address, and, in a high proportion of cases, other 'demographic' information. The ease with which companies can arrange to bring those two files together, using the common codes and a technique called "stochastic matching" , behind the scenes and unknown to any but a very few people, is simply mind-boggling. That process is not a technical feat even for your Mother In-Law!

The persistent cookie (the ones that are set to expire often you are dead, or no sooner than several years into the future) is a key enabler of this entire setup.

What is particularly important to appreciate is that while large merchandisers had such files in the pre-internet days, arranging to provide others with access to those files was quite a chore by comparison with the situation in these internet days.

Also, firms who only provide marketing advice and support to other businesses now have a strong interest in building up dossier-level files as the capital upon which to grow their businesses.

Therefore, in the pre-internet days when you bought from merchants only the larger ones kept systematic files on customer attributes, even they had little interest in selling information from those files, and therefore the chances of your giving up both (a) money and (b) privacy to make a purchase were extremely low.

But now in these internet days you are much more likely to pay two prices for your online purchase: the cash price and the privacy price. (I know, I am being repetitious on this point; but I feel lots of people really need to sit down and realize how much the landscape for personal buying of things has been changed.)

WHY YOU CANNOT "LET GEORGE DO IT" THIS TIME

Therefore, you must be concerned about whether Your Favorite Merchant operates in such a way that if he/she goes out of business your credit card number and other personal information will end up in public view as the first news report above illustrates. The probability that there exist files to allow such obscene public displays has gone upwards greatly, I hypothesize.

Therefore, it is now in YOUR hands to challenge Your Favorite Merchant about the PRIVACY PRICE of your purchase!

The second news story cited above lends further emphasis to the idea that your personal vigilance is now required. You have NO need to agree with some privacy advocates' allegation that that news signals a sellout to e-marketers in order to see that you are now in an environment where aggressive support of your personal privacy is going to be in your hands and nowhere else.

All this means that the rather tedious and boring subject of how to manage the storehouse of cookies placed on your computer by e-marketers is in fact quite important.

If millions of personal computer users fail to attend to this requirement, we would have brought upon ourselves a new world of wanton self exposure to small and large e-marketers. Both are now able to arm themselves with smart programmers who know how to get things out of peoples' personal computers, keep tabs on their electronic surfing, and tie that information to other dossier-level information they have.

Isn't this a new kind of pornography?

That may be a wild question; but it's here to wake you up! Your personal attention to cookie management is not a trivial matter. Arawak Net's Privacy Watch will soon contain a tutorial on software that is in the marketplace to help you manage your cookie storehouse in the Mac and PC environments. We know some cookies are nearly essential for things you and I need to do. Others are good but not essential. And then "there's the rest to worry about", since virtually no one sets out to ask your permission before they are planted on your computer.

A serious effort has been made here to respect peoples' copyrights. Any lingering violation will be corrected promptly, as soon as someone points out where the violation takes place. Contact lestone@arawak.net.

© 2000 Arawak Enterprises. All rights reserved.