Subj: Online Privacy: Perspectives of Barbara Bellissimo, Privada
From: Barbara Bellissimo, Privada, c/o Software & Information Industry Association (SIIA), 
Ted Karle, 202-452-1600, tkarle@siia.net
To: Internet Caucus Advisory Committee

PROTECTING ONLINE PRIVACY: SAFEGUARDING BUSINESS AND CONSUMER 
TRANSACTIONS

***Although Web surfers can find a wealth of information online, Web sites can also gain 
a wealth of information about site visitors – regardless of whether or not the visitors want to 
share the information. ***

By Barbara Bellissimo, Privada

In today’s networked society, consumers and businesses are increasingly able and eager 
to access information, buy and sell products and conduct research online. What many 
people don’t know is that the flow of information often goes in two directions. Although 
people can obtain almost unlimited quantities of information from the Internet, they are also 
vulnerable to disclosing their own personal data unwittingly. Some consumers and 
businesses have recognized this danger and have shied away from the Internet because of 
its security and privacy flaws. With the many different resources on the Internet, it remains 
difficult to determine which sites are trustworthy, provide anonymous services or protect 
their customers’ privacy.

Without the ability to protect their personal information, consumers will continue to 
be reluctant about purchasing goods and services from the Internet, and the promise 
of Internet-based electronic commerce will not be fully realized.

PRIVACY CONCERNS AND USAGE HAZARDS

Consumers should be in control of who has access to their personal information as they 
roam the Internet. However, there are currently three common areas where consumers 
can experience breaches in privacy. These areas include surfing the Internet, sending e-
mail and purchasing goods and services online.

Once a consumer logs onto the Internet, there are many ways personal information can 
be collected and used. Some Web sites can obtain personal information from surfers 
via “cookies.” Cookies allow Web servers to recognize a specific user or machine used to 
access that Web site. The cookie file is stored on the user’s computer and read by the Web 
server during each subsequent visit to the Web site. Although most Web browsers allow 
users to turn off the cookie feature, many Web sites cannot provide access or personalized 
services unless cookies are accepted. The information collected in a cookie can then be 
used for direct marketing efforts without the consumer’s knowledge.

When consumers log onto a Web site, site administrators can often learn their e-mail 
address, which operating system they use, their computer name, browser type, plug-ins 
installed, the date and time on the system and even personal data on the person in charge 
of the domain name. Armed with this information, companies can create a profile of 
consumers and track the sites they are visiting, all without consumers’ permission. This type 
of tracking would never be tolerated in the real world as shoppers wander from store to 
store.

The rapid growth of electronic commerce adds to the complexity of the privacy 
problem. Online shoppers must provide their address, credit card and other personal 
information to purchase and receive products and services. Consumers often find that their 
personal data is collected and used for market research, direct marketing and other 
purposes once they’ve bought products online. Sometimes this leads to annoying 
dinnertime telephone calls pitching products related to those they’ve purchased online or 
expressed an interest in by browsing a site.

When individuals send e-mail, their names and e-mail addresses can be collected, 
recorded, checked against other records and added to their “profiles.” Additionally, the e-
mail content itself is anything but confidential. The data that companies may gather on 
individuals can be sold to third parties or shared with partners, allowing these aggregators 
to associate credit card numbers, reading habits, Web site usage patterns and more. These 
data are collected, stored and accessed by companies to improve target marketing and 
advertising efforts. Marketers use data many people would rather keep secret, such as how 
much they earn, where they shop and what they buy.

PRIVACY CONCERNS TO BUSINESSES

It has become a sound business practice for online companies to adopt a privacy policy 
to assure consumers about the protection of personal information, while building 
confidence and long-term customer relationships. In addition, businesses need a degree of 
anonymity to protect themselves, their employees and their constituents. Just as consumers 
don’t want to be deluged by marketers, businesses cannot afford to lose customers and 
employees because they’re unable to ensure the privacy of these groups. Privacy is 
currently a market issue, not a regulatory one, so it’s in a business’ best interest to 
differentiate itself by safeguarding the privacy of its customers and employees.

Many corporations are seeking privacy solutions to ensure that they can conduct 
internal communications and competitive research safely and anonymously. By offering 
their employees online anonymity, businesses may protect themselves from potential 
lawsuits brought on by employees misusing their Internet access. There are also situations 
– specifically in the medical and pharmaceutical industries – where corporations can 
expand their reach by providing sensitive information to individuals without any knowledge 
of the recipient’s identity.

PRIVACY PROTECTION LEVELS

There are several ways to safeguard consumer and business privacy in cyberspace. 
These methods can be divided into two categories: privacy given by Web sites and privacy 
taken by Web surfers. With few laws regulating the types or amount of personal information 
Web sites can capture, some groups are voluntarily providing their constituents with a 
private and safe online environment. The Direct Marketing Association (DMA) has 
attempted to regulate Web sites by creating privacy-policy guidelines for both traditional and 
online database marketers. DMA members are required to abide by its guidelines. In 
addition, TRUSTe, a private organization formed in 1997, governs Web sites in an effort to 
make privacy a structural and technological component of the Internet. It seeks to create a 
branded symbol of trust on the Internet using seals of approval. TRUSTe is also a part of 
the Online Privacy Alliance, which encourages adherence to sets of self-regulating 
principles aimed at protecting personal information. TRUSTe works to raise awareness and 
educate the Internet community and promote the values of full disclosure and informed 
consent.

However, even though Web sites are forcing themselves to create these online 
disclosure statements with certification badges, privacy is not necessarily guaranteed. Many 
believe the Internet is too broad and changes too quickly to be policed effectively.

Consumers can take personal steps to avoid providing personal data by making good 
choices about what data they disclose voluntarily and reading the privacy policies of the 
Web sites they visit. However, Web surfers need to remember that many privacy policies 
are intentionally vague and are not always fully implemented.

Without assurances from Web sites, many consumers are taking control of protecting 
their online and real-world identities. The most basic method is simply creating a fictitious 
persona for online use, avoiding providing credit card information to unfamiliar Web sites 
and using a free e-mail account for online shopping, saving personal e-mail accounts for 
friends and work associates. Consumers should also encrypt e-mail messages whenever 
possible.

There are also services known as re-mailers. Anonymous re-mailers are free Internet 
services allowing users to send e-mail without disclosing their names or addresses. The re-
mailer will strip the user identification material from the message and re-send it. This 
technique is not totally private, however; the re-mailer knows the user’s information and 
unless a message is encrypted can read the e-mail. The re-mailer could, under various 
laws, be forced to reveal the identity of a user.

There are, however, reliable ways to safeguard consumer online identity while Web 
surfing, shopping and communicating by e-mail. Companies and individuals seeking 
these reassurances should consider using privacy-enhancing technologies (PETs).

PETs help users maintain control over their personal information while using the 
Internet. Although the U.S. government and Internet marketing associations continue to 
discuss how to best set regulations or develop standards for conduct, many companies are 
turning to PETs. Internet portals, e-mail providers and corporations are especially interested 
in how PETs can provide their users with the protection of Internet anonymity.

A number of companies have developed products that let users send and receive e-mail 
and browse the Web anonymously, via encryption and digital identification technologies. 
This approach ensures that control of personal information remains with the person initiating 
the transaction. The products completely disassociate real-world identities from online 
identities, allowing users to communicate with anyone on the Internet without sacrificing 
their privacy or control of their personal information.

With all the benefits of online privacy and anonymity, it is important to remember that 
these benefits also come with important responsibilities. My company believes in 
maintaining the integrity of its privacy-enhancing technology and the rights of consumers 
and businesses online. At the same time, the company operates in a manner that helps 
prevent misuse of anonymity. For example, if individuals use their anonymity to break the 
law, a Privada network operator can utilize a virtual “wire-tap” facility, which upon a court-
legislated subpoena can be turned on in order to track down criminal activity from that point 
forward.

***Barbara Bellissimo is founder and vice president of marketing, Privada and a member of 
SIIA’s Board of Directors. She can be reached at barbara@privada.net. This article was 
printed in the April 2000 issue of Upgrade, a publication of SIIA. Over 9000 copies of 
Upgrade are distributed to SIIA members worldwide. ***

Software & Information Industry Association (SIIA)
1730 M Street, NW, Suite 700
Washington, DC 20036-4510
202.452.1600
www.siia.net