If you want to take action to become an active part of an effective security firewall that minimizes assaults upon your privacy as you surf the web, look for and study the principles embodied in the tentative Safe Harbour Agreement recently concluded between the the US Dept. of Commerce and a Commission of the European Union (EU). The agreement must now be ratified by a majority of the EU countries.

Some highly relevant points from these principles are presented below. These points, and a set of proposals developed by software engineers in 1997, form a partial basis for aggressive and effective Civil Society action here in North America, as will be argued below.

THE EUROPEAN DIRECTIVE ON DATA PRODUCTION, KEY TO THE IMPORTANCE OF THE SAFE HARBOUR AGREEMENT

To see why the Safe Harbour Agreement is so important, despite its limitations as a guarantor of privacy, go back to the April 1999 version of the International Safe Harbour Principles. It begins with the following remark: "The European Union's comprehensive privacy legislation, the Directive on Data Protection (the Directive), became effective on October 25, 1998. It requires that transfers of personal data take place only to non-EU countries that provide an "adequate" level of privacy protection."

The key phrase here is "adequate level of privacy protection". To get an idea of what this means, go back to a Q&A issued by the European Commission late in 1998, and still available at its web site. Concerning the Directive on Data Protection, the Q&A contains the following remark: "At a time when an increasing quantity of personal data is processed and made available, the Directive spells out the basic individual rights to privacy: for example, every person should have the right of access to personally identifiable data relating to him/her, and a right to rectification of those data where they are shown to be inaccurate. In certain situations, he/she should also be able to object to the processing of his/her personal data. In addition, individuals should be provided with information as to the purpose of processing and the identity of the data controller, so that they can exercise their right of access. Where "sensitive" data are involved (for instance, medical data, and data revealing racial or ethnic origin, religious or philosophical beliefs), additional safeguards should be in place, such as a requirement that the person concerned gives his/her consent for the processing.

At the same time, the Directive ensures that companies and other organisations will be able to transfer personal data throughout the European Union. In most European countries, the protection of personal data is a constitutional principle, and the right to privacy is enshrined in the European Convention on Human Rights."

If nothing else brings home the point that North American experts in highly targeted marketing could well find themselves in rather hostile waters across the oceans, this remark should lay any doubts to rest.

THE DIRECTIVE AND THE AGREEMENT WILL HASTEN RESOLUTION OF THE INTERNET PRIVACY ISSUE

This Directive on Data Protection by the EU, and the Safe Harbour principles recently agreed upon, are going to bring the internet privacy debate to a resolution much more quickly than we might have thought, upon considering only the forces at play within North America. Here's why.

North America is approaching a plateau on internet usage. New hooks-up to the net will continue; but the rate will become slower and slower. Companies looking for massive growth of e-commerce-based revenue growth are going to have to look abroad in the coming years. There they will often find public attitudes and legislation concerning privacy 'a bit different and less comfortable' than what they had been accustomed to addressing.

To break into Europe in a big way, these companies and their supporting army promoting highly targeted marketing are going to have to change their behaviour. Just to be granted 'safe harbour' in Europe, subtantial change will be needed.

And if they can change their behaviour in order to grow in Europe, why can they not be more privacy-friendly right here at home?

This is the $64,000 question that well organized community-level groups of comsumers should prepare to leave at the doorsteps of all companies granted 'safe harbour' in Europe but perceived to be unable to grant our own citizens the same privileges.

Let me give you a very concrete example of how important this can become. This morning I logged on to a news site, and was promptly asked to admit a cookie. When I looked at the content of the cookie I saw the string "ID= ...". Well, I have never logged on to this site before, and I certainly gave them no information this morning. So why are they attaching an ID to my computer? Well, by now you know the answer to this question!

I would have thought that if some news site that had never seen me before wanted to use my computer and my browsing habits to advance its marketing aims, it would be decent enough to explain what it was about and get my permission based on the explanation.

Let me add this was NOT DoubleClick, either. It is a Canadian company that shows news items amidst a ton of advertising banners. The news were all man-bites-dog items, so they are just a show window behind which to execute the real aim of this site -- sell advertising exposure to other companies. I have read, and wish to emphasize here, that while DoubleClick has been getting it on the chin from 'everybody in sight', they may well be a better Business Citizen than most of the other companies in the targeted marketing business!

Below, we will review some key parts of the tentative Safe Harbour Agreement and then go on to show how organized Civil Society groups can capitalize on this progress. The points to be made rest on another foundation worthy of note here -- a 1997 proposal to limit the use of cookies, and to have each cookie bear more useful information for the person who wishes to examine a cookie's content. This proposal was prepared by a group of software engineers lead by two from Bell Laboratories and Netscape Communications.

So, first, a few remarks about their work.

PROPOSAL TO FURTHER DISCIPLINE COOKIE USAGE FROM A GROUP OF ENGINEERS

Most often the details of an arriving cookie are (1) an IP address or a URL of the declared sender (who may or may not be the true originator of the cookie or the party that will make use of the cookie when you move to another site where this party is also operating), (2) an expiration date (often one arriving long after you are dead -- which means never expiring from your viewpoint), and (3) one or more strings of text (often looking like gibberish -- which means something you are not supposed to be able to see and understand).

This much information does not come close to what was proposed by the engineers back in 1997.

They proposed that creators of cookies consider providing a comment: that "allows an origin server to document its intended use of a cookie. The user can inspect the information to decide whether to initiate or continue a session with this cookie. " We would be happy to learn that we are wrong in our impression that today's cookies rarely have this information.

Another notable proposal reads as follows: "When the user agent terminates execution, it should let the user discard all state information. Alternatively, the user agent may ask the user whether state information should be retained; the default should be "no". If the user chooses to retain state information, it would be restored the next time the user agent runs." The phrase "state information" refers to cookie-borne data.

No such opportunity is now presented to us when we stop using one of the popular free browsers.

A third issue of importance for privacy is whether the communications channel used to pass information in cookie-borne information is secure. The engineers recommended that "information of a personal and/or financial nature should only be sent over a secure channel. For less sensitive information, or when the content of the header is a database key, an origin server should be vigilant to prevent a bad Cookie value from causing failures."

An example of a bad cookie value is a string containing bytes that the interpreting program was not designed to handle, and which causes the program to either 'blow up' or do unanticipated things (such as allowing clever intruders' access to confidential files).

It is a testable hypothesis that not one of the three proposals just cited has received anything close to wide acceptance. These are, to repeat: (1) providing surfers with information about the purpose and intended use a specific cookie, (2) pausing the shut-down of a browser program to allow the surfer to instruct that cookies received be discarded promptly, with stated exceptions, (3) ensuring that any information that contributes to identification of the surfer be transmitted via secure channels only.

Let us keep this main idea in mind as we turn to some key provisions of the just concluded Safe Harbour Agreement. These features are highly relevant to consumer empowerment.

NEW AMMUNITION FROM THE SAFE HARBOUR AGREEMENT

Since several European countries have privacy protection laws more stringent than ours, a USA company can be said to have a 'safe harbour' in which to obtain data about European customers IF it complies with certain conditions. The Safe Harbour Agreement deals with these conditions.

Some key provisions in the Agreement are as follows:
"* Notice. Each company in the safe harbor must provide individuals with a notice explaining the purposes for which it collects and uses information about them, how to contact it with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means that it offers individuals for limiting the use and disclosure of the information.
* Choice. Each safe harbor company must give individuals the opportunity to choose whether and how the personal information they provide is used by or disclosed to third parties. No distinction is made between affiliated and non-affiliated third parties in this regard. Negative (opt out) consent generally is sufficient, although affirmative (opt in) consent is required if the information being used or disclosed is particularly sensitive. ("Sensitive information" as defined in the Directive includes, among other things, medical information or information that would disclose a person's race or religion, but does not include financial information.)
* Onward Transfer. Each safe harbor company must require third parties who receive information to provide the same level of privacy protection for that information as the company itself provided.
* Security. Each safe harbor company must protect information from loss, misuse, or unauthorized access, disclosure, alteration or destruction.
* Data Integrity. Each safe harbor company must ensure that data is reliable for its intended use, accurate, complete and current.
* Access. Each safe harbor company must give individuals the right to view, correct, amend or delete information about them held by the company.
* Enforcement. Each safe harbor company must provide mechanisms for ensuring compliance with the other six privacy principles and the company's privacy policies."

A recent Reuters story about the approval of the Agreement by the USA and the EU prominently stated that some consumer groups in Europe are upset because the agreement is less strict than existing laws in several EU countries.

What Reuters might have added, to put the matter into a more useful context for North Americans, is that the provisions quoted above define a regime that does not now exist in North America, and one that would probably be successfully blocked by a consortium of "powers that be".

Any clear move toward these provisions would be a major step forward for those who feel that persistent internet snooping by marketing firms is an unwanted debasement of the quality of our lives.

As already pointed out, a North American company that abides those rules in order to expand in Europe, should be repeatedly asked to explain why it is so hard to offer similar privacy-friendliness to our own people.

HOW TO USE THIS NEW AMMUNITION?

What else should we do?

Certainly not wait on the major institutional stakeholders to protect our privacy. That, in fact, is not a top priority for them, expect where manifest plundering of privacy threatens to bring people-driven sanctions down on the heads of individuals (e.g., individuals losing elections, company services being boycotted, etc.).

What we should do is use the springboard provided by the engineers' proposal (summarized earlier) and the Safe Harbor Principles to create a set of citizen-generated Consumer Protection Standards, policed by aggressive groups organized and active at the community level.

Organizations would be invited to demonstrate that are Good Business Citizens by adopting the standards, and those doing so would be massively rewarded by consumers.

REWARD GOOD-CITIZEN COMPANIES THAT ADOPT NEW CONSUMER PROTECTION STANDARDS

Here are some possible elements of the standards, based upon what we have seen in the engineers' proposals and the Safe Harbour principles:

(1) Creators and distributors of cookies should each maintain a cookie description database that web surfers can query to examine the purpose, intended use and justification for every different kind of cookie propagated from their web servers.

Notice that this is not a remark added to every cookie. Tyoes of cookies are defined in the database, and the remarks are placed on public view concerning each type. If a company's programmers are worth anything, this information is already well documented in their internal files. It's needed for program de-bugging and for orderly software enhancement.

And, folks, that cookie description database has got to be a very small file -- probably almost always less than 100K!

(2) If an organization is the source of banners displayed at a site other than that organization's site, ensure that at each of those other sites there is a link to the cookie description database cited in (1).

(3) If an organization has banners displayed at its site and these originated at a another site, that organization's Privacy Statement should explicitly name and provide URL and email addresses for all such 'other sites' upon whom it relies for banners, as well as the link cited in (2).

The organized community-level groups should develop and continually update, and exchange among each other, lists of organizations that (a) are supporting the standards 'with their feet' on a daily basis, (b) are not supporting the standards.

The lists would also show what products and services are being advertised by group (a) and by group (b), respectively. These lists will help concerned citizens to 'vote with their pocketbooks' and/or to write to companies with praise or with demands concerning personal privacy-protection.

The Civil Society response will need to include aggressive citizen education done by volunteers, to transmit knowledge about how the bad guys are operating and what specific steps to take in order that individuals can assume greater responsibility for building firewalls around their internet privacy where possible.

A key point here is that the Civil-Society movement would seek to engineer change by defining good corporate behaviour (the standards) and differentially identifying and rewarding the companies that adopt the standards in their day-to-day operations.

LINKS TO EXCELLENT TUTORIALS ABOUT COKIES

Just in case you need a tutorial about cookies, there is no need to include one here; because four web sites (at least) offer excellent education on this topic, when you look at all they offer. They are

    www.computer-security.com/Cookies/cookview.htm
    www.webstreetstudios.com/school/cookies.htm
    www.cookiecentral.com/
    http://privacy.net/analyze/

Finally, credits for sources for this article are also due to Individual.com services (www.individual.com). A serious effort has been made here to respect peoples' copyrights. Any lingering violation will be corrected promptly, as soon as someone points out where the violation takes place. Contact lestone@arawak.net.

© 2000 Arawak Enterprises. All rights reserved.