• by Mark Naples , July 23, 2004

By now, some of you may be tired of my quarterly screeds on how misperceived privacy matters are within our industry, and within the media and marketing industries as a whole. It's not that so many readers complain to me that I'm wrong or anything. They just complain that the issue doesn't matter so much.

Well, much like affirmative action" became diversity, now online privacy has become cyber trespass. Which brings us to HR 2929, the Securely Protect Yourself Against Cyber Trespass Act of 2004, introduced by Rep. Mary Bono, and passed out of committee to the full house by a vote of 45 to 4 last month. This issue has enough people up in arms that there is a bill about to become legislation in the U.S. House of Representatives, and about the only thing in our industry that it doesn't cover, is cookies.

Remember those halcyon days when some people thought cookies were the troublesome item? Take a look at this bill, and tell me what it means. Yes, we need something preemptive. Yes, disclosures need to improve. But, most of the business practices outlined in this bill are already illegal.

Hijacking, surreptitious surveillance, and inhibition of termination - that is, taking over users home pages or Web searches, tracking their key strokes or banner clicks via some means other than a cookie, or leaving tracking software on a user's hard drive after that user has removed the subscription or program that invited it - all these are already illegal.

In presenting a list of these practices to the FTC at its April workshop, the associate director of the Center for Democracy and Technology (CDT), Ari Schwartz, told the commission that the business practices already defined by the Consumer Software Working Group demonstrated widespread consensus that certain practices involving software are already illegal. In a preface to its list of spyware scenarios, the Consumer Software Working Group said it "is concerned about a specific set of devious, deceptive or unfair practices that adversely affect consumers online. Most of these practices may be illegal under current law, depending on the specific facts of the particular case."

So, will this just be something else to raise the profile of Eliot Spitzer, so he can spend millions of dollars of taxpayer money to collect thousands of dollars in spammer fines?

Look, in reality, if not in perception, WhenU and Claria don't have a privacy problem. If you don't use personally identifiable information (PII) in the serving of your ads, then you - by definition - do not have a privacy problem. People in our industry have difficulties with the business models of these companies. But both companies provide a level of disclosure that exceeds even what the Bono Bill - with appropriate amendments that are sure to be added - will require. I'll bet that both will amplify their disclosures too. But, these companies aren't the problem, as I have written before. The companies that are the problem in this arena operate under names you wouldn't recognize.

Behavioral targeting companies such as Tacoda and Revenue Science have no privacy problems either, since their targeting and delivery of ads works through the publishers of sites that users visit. Again, it need not involve PII.

In the cases of all these companies, there is a clear quid pro quo. If you read today's New York Times Digital, or any number of other interactive newspapers, it didn't cost you anything. One way that these sites' publishers have brought their businesses into the black is by finding new ways to monetize their media asset - their users. Of course, when you subscribe to the New York Times Online, you provide PII. But, behavioral targeting technology does not see through the publisher, as it were. Serving ads that are targeted behaviorally doesn't imply any contact with the PII.

So, where is the privacy problem? I keep telling people that it's not online. This link to the ACLU site made the rounds this week, and many found it to be a humorous "what if" cautionary tale. Every time I see it however, it makes me break into a cold sweat because I know that the technology exists to make it happen, and that the legislative regulatory barriers to prevent it from happening really do not exist.

Sure, Do Not Call Act has helped. But, that's only about telemarketing. When it comes to the other means of data gathering, your credit card company knows more about you than your spouse does, trust me on that one.

Privacy advocates who were fighting profiling, and other means of collecting data across sites, won the war. Today, the companies that drop executables on users' hard drives and track their movements generally don't bother with PII anyway. I've already written about some of them, and was threatened with a lawsuit, which sort of made me chuckle as I cleaned their home page-hijacking.exe files off my hard drive three times in the next week.

Will the passage of HR 2929 or some similar bill affect that? Or, will it just affect the business practices of more reputable companies?