IPeekaboo

Is your personal privacy worth the price of a new computer? Most people hold out for a lot less.

Online privacy is fast becoming one of those George Carlin oxymorons, like military intelligence. Every day seems to bring fresh evidence that the two concepts don’t go together, and fresh outrage over the news.

Just in the last few weeks, several advocacy groups called for a boycott of Intel because of its new Pentium III chip, which carries a unique serial number that could allow Web users to be more easily identified and tracked. Then there was a wave of protest against Microsoft, when a German computer magazine revealed that Redmond was collecting unique identification numbers during the Windows 98 registration process and passing them on to its Web sites (though the company denies ever using those numbers to identify visitors).

The Internet is the place where we seem to cherish rights to anonymity that we’ve happily given up in nearly every other arena of our lives. People who gladly hand over a signed credit card slip to a perfect stranger, placidly watch the Blockbuster cashier scan their video rentals with a laser reader, and optimistically drop their business cards into a drawing for a free lunch, suddenly seem to panic at the notion of anyone online knowing anything about them.

Part of the anxiety is undoubtedly due to the terra incognita factor, and the fact that everything Internet- related is hyped either as an unprecedented menace or an unprecedented marvel. The Internet puts us in direct contact with a vast computer network that we don’t understand and know we can’t control. (Whereas, inscribing our name into the nice, classy-looking catalog-request book at the Banana Republic counter somehow seems less disquieting.) Also, since Web surfing is such a “granular” experience—clicking through to individual pages, searching on highly specific words—the ability of someone to know what we are doing online seems tantamount to an ability to follow our trains of thought.

But if some of the fears are irrational, they may also be well justified, for digital technology is giving information brokers new kinds of efficiencies and power that will make it ever easier for your far-flung personal data to be cross-referenced, compiled, and sold. In fact, the laws governing use of this information practically mandate that such commercial exploitation take place. As the implacable forces of global shopping come to dominate the Web’s evolution, the present-day struggle over privacy may soon seem as quaint as earlier outrage over Internet advertising. Web masters more than likely already know more about you than you realize. And they are busily devising ways to find out the rest.

Your personal information is fast becoming one of the most coveted commodities on the Web—second only to your “eyeballs.” Many sites—for lack of any other plan—are hoping to make their money through advertising, and user information becomes especially critical in this business model, since you attract advertisers by showing that you deliver a valuable audience. At the same time, the Web is supposed to be the God-given mechanism for “one-to-one marketing”—messages tailored just for you, the single mother of two who drives a Corolla and is shopping for skis—which, of course, requires your knowing as much as possible about who’s on the other end of the mouse. “Telemarketing and direct mail get a response rate of 1 or 2 percent,” says Russ Smith of the consumer organization Consumer.net. “If they can increase that to 10 percent, that’s huge profit.”

As a result, your personal information, and your willingness to subject yourself to marketing messages, have become a valuable and tradable currency. Companies such as NetZero and Freei.net offer free Internet access in exchange for your personal data, the freedom to monitor what you do online, and permission to send you specially targeted advertising. Several companies have started up “ratings” services, akin to TV’s Nielsens, offering modest incentives to get people to agree to have tracking software lodged in their hard drive.

The most eye-opening gambit was made earlier this year by a Bay Area company called Free-PC, which offered to hand out 10,000 free Compaq computers to people willing to answer questions about their interests and income, be monitored, and put up with a continuous frame of animated advertising on their screens. Half a million people applied for the PCs in just the first few days. (Only the most demographically desirable stand a chance, however. If you actually need a free PC, don’t bother.)

As business propositions, some of these schemes look pretty hopeless. “A free PC is an absurd example, frankly,” says Steve Podrachik, whose Seattle company, Marketwave, helps companies analyze who is visiting their sites. “I don’t know how they can possibly make money on that. If you think of your personal information as a kind of currency, it isn’t worth that much.”

THIS SEEMS PARTICULARLY TRUE when you consider that even while companies are scrambling to find ways to bribe you into disclosing who you are, there’s plenty they can learn the moment you land on their site without your telling them a thing. By looking at the “Internet Protocol” (IP) address of your computer, as well as the server you came in on and the information transmitted by your browser, a Web master can generally know what part of the country you are in (perhaps even locating you to within a few miles), who your employer is (if you’re on a company network), what Web page you were last viewing, and even such things as the size of your computer monitor and hard drive. (To see a demonstration of this analysis, go to www.consumer.net/analyze.)

Dialup Internet connections generally assign IP addresses “dynamically”—meaning that your address will change with each online session—but if you have some kind of fixed connection, like a cable modem or a corporate network, then the IP address may serve to uniquely mark your computer. So if you have entered your name or other personal information somewhere else on the Web—perhaps by entering one of the many online “Win a VW Beetle” sweepstakes—your IP address can be cross-referenced with the address and its attached information in the sweepstakes database to identify you personally. “Once they get the first personal identifier, they can now correlate all of the information from real-world databases with all your online activities,” says Lance Cottrell, president of Anonymizer.com, a site that lets you hide your IP address.

Once on a site, you are generally tracked by means of “cookies”—small bits of data deposited on your computer to serve as an identifying marker. After tagging you with a cookie, the site can record your behavior as you click around and recognize you the next time you visit. “The cookie doesn’t know who you are, it just knows you as ‘the guy in the blue shirt,’ effectively,” says Podrachik. (However, Microsoft has admitted that its cookies sometimes contain a personally identifying number transmitted during Windows 98 registration. The company has pledged to purge those cookies.)

Cookies are also deployed by ad banners, allowing marketing agencies to record your behavior across the hundreds of different Web sites where they display ads. At MatchLogic, one of the leading online marketing firms, vice president Kim Edlin says that when a surfer turns up at a page where MatchLogic owns the ad, “We know what kind of ad has been [previously] sent to this computer, know what site you were at when you saw the ad, and know what activity did or didn’t result [i.e., did you ‘click through’].”

MatchLogic is one of several companies trying to amass enormous Web user profiles that can be used for targeted marketing. Edlin says the firm creates “contact points” by sponsoring contests—”Win a Million Dollars”—which prompt users to send in their personal data. (Users are asked to approve the use of that data for “research” and other commercial purposes.) The firm can then follow the behavior of those users online, match it up with similar behavior of users it has cookied but doesn’t have personal data on, and thereby make an educated guess about the unknown person’s demographics.

The trafficking in personal data on the Web is a classic—and highly efficient—example of a long-established American tradition: finding ways to “add value” to material that may initially be commercially worthless. “You give away [your personal data] for free,” says local attorney Steve Dickinson, “and someone reorganizes it and makes it valuable.” Dickinson believes that privacy advocates are fighting a losing battle, since legal tradition is squarely on the side of the information gatherers/brokers. “There’s this ‘highest and best use’ paradigm in law,” he says, “that practically dictates that if something can be turned into something valuable, it should. It’s almost like a moral imperative.”

THERE ARE, OF COURSE, ways to stymie the privacy incursion. Most browsers allow you to refuse to accept cookies, for example. From Anonymizer.com, you can browse the Web or send e-mail from behind a firewall that the company says will render you completely untraceable. It’s a free service (save for an ad across the top of your screen, bien sr). Seattle software-maker WRQ recently released a product called AtGuard that provides similar benefits—and also blocks out ad banners.

As the Net becomes more and more a mass medium, it seems likely that a privacy split will develop between the cognoscenti, who have the technical know-how to protect themselves, and unsophisticated users—the kind who even today don’t realize they can change their home page. Online merchants are becoming more conscientious about describing their “privacy policies” and offering consumers—those who bother to read the fine print, at any rate—a chance to control how their information is used. Many companies pledge that they will never disclose personal information to any “outside parties,” for example. (Amazon.com says it doesn’t do so now, but “we may choose to do so in the future.”)

Yet as the corporate consolidation of the Web continues, there will be few parties left “outside.” MatchLogic, for instance, has been bought up by Excite, which recently merged with @Home, which is majority-owned by TCI, which is being swallowed by AT&T. . . .

Despite the vocal outrage of privacy advocates, a generational shift in attitudes may soon help to snuff out the current controversy over privacy, as more people simply take it for granted that they have none. One marketing consultant who took part in focus group sessions for PC Data’s new Internet “ratings” system says, “You always had one person out of the 10 who’d say, ‘I will never, ever give out my personal info.’ You would have five or six who’d say, ‘All right, if the price is right, sure.’ Then you’d have two or three, who were usually the youngest in the group, saying: ‘They’re going to know all about me anyway, so I might as well get something for it!'” It may be that for people raised on a steady diet of The X-Files and Internet conspiracies, cookies are nothing more than child’s play.