US should protect citizens from online profiling

One of the more outrageous online violations of consumer privacy emerged last week when a stalwart company of the Internet world…

One of the more outrageous online violations of consumer privacy emerged last week when a stalwart company of the Internet world, RealNetworks, was revealed to have been systematically gathering information on millions of its customers without their knowledge or consent.

RealNetworks distributes programmes over the Internet called RealJukebox and RealPlayer, which allow people to play audio and video on their computers. The programmes rank among the most popular downloads for computer users, and often come bundled with Web browsers or free CDs from computing magazines. RealNetworks claims 85 million people have downloaded RealPlayer, and 12 million use RealJukebox.

Two weeks ago, a software user who has dedicated himself to uncovering security and privacy problems in Internet software revealed the existence in RealJukebox of a globally unique identifier (GUID). A GUID is a unique number, assigned to each programme, that allows RealNetworks to track the personal listening habits of RealJukebox users. The number is activated during the online registration process that users of RealNetworks software go through to use the programmes. The GUID can then be associated with a particular individual, not just a particular software download.

In essence, a GUID informs on a computer user by transmitting information, such as a person's Web surfing and online buying habits, back to a home site, creating an informative picture of an individual. The technique is one of an arsenal of information-gathering tools used for "online profiling", the overall term for gathering highly detailed data that can be used then for targeted marketing. Online profiling is not new and has already come under heavy criticism by privacy advocates, who say that unregulated profiling offers an open door to widespread abuse and misuse of consumer information. Information gathering for profiling has become so widespread that most Internet users are probably not aware that they are being targeted by it when they click through on an ad, fill in an online form, or register a product online. Even simply visiting a website can generate information on a Web user since commercial sites routinely set "cookies" on a computer - small programmes that identify a Web user to the site on return visits and can allow certain types of information-gathering.

READ SOME MORE

The US has no equivalent of the European Union's Data Protection Act to protect against secretive online profiling. Unsurprisingly, US companies have said they do not want such regulations, can handle consumer data responsibly and are willing to self-regulate in the area.

But the RealNetworks debacle is a damning indictment of the workability of any plan to have companies voluntarily police themselves in the ethical use of consumer data. For many Internet users, this is particularly true because RealNetworks, given the nature of their product, has always had an aura of Net hipness. They seemed to be brash, energetic, and Net-savvy - in a good way.

Unfortunately, they used that savvy in an improperly secretive way. The company's online privacy statement did not reveal to site visitors that the company was gathering information, and many users rightly feel spied upon. One has even filed a $500 million class action suit against the company for privacy violation.

While the company scrambled to release a patch to RealJukebox that disables the GUID and has placed a beta version of a new release of RealPlayer (which doesn't transmit a GUID) on its site for download, many feel its actions are too little, too late. On the other hand, the alternative programme - Microsoft's Windows Media Player - offers scant improvement. The programme also has a GUID that's activated when you register, as many, if not most, Net users do with products. But, says Microsoft, you don't actually have to register the product. That seems a rather specious argument, given that Media Player users weren't properly aware until now that registering enabled profiling. The RealNetworks incident prompted an immediate response from the US Federal Trade Commission, which held a hearing on online profiling in the wake of the revelations.

Business representatives understand the power of the Web and its unique ability to offer them not just a vague, AB subset of the population with a set of imprecise tendencies, but the knowledge that you, personally, like Radiohead this week, while your neighbour is listening to Bach cantatas. Privacy advocates are particularly concerned at the moment about online profiling because mergers within the online marketing industry threaten to vastly increase the scope for harvesting and consolidating personal information about Web users and shoppers in general. They point to the pending merger between online advertising firm DoubleClick and direct mail catalogue tracking company Abacus Direct Corporation. The merger, they say, would bring together online profiles gathered from clickthroughs from an estimated 850 million online advertisements, and the individual purchasing histories of 88 million catalogue users.

Businesses certainly have not yet shown that they have any overriding interest in protecting consumer data and in contrast, have every reason to exploit it. RealNetworks has demonstrated how compelling that desire can be. Therefore, it's time for the US to look after its citizen's privacy rights and create comprehensive and purposeful legislation in this area - which, incidentally, also would resolve the festering conflict between the EU and US over the use of European citizen's data. This conflict threatens to hobble online trade between them.

Karlin Lillington is at klillington@irish-times.ie.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology