"In the past four years, there have been hundreds of privacy bills proposed, but very few of them have passed," says Jason Catlett, president of Junkbusters.com, a privacy advocacy organization. "The reason is that the lobbying of marketing companies that exploit personal data unfairly has managed to stop almost all of these bills from passing."

Lawmakers continue to propose legislation that may or may not better protect financial, medical, and personal data. But even as the FTC scolds unruly data collectors and fights the rise in identity theft, the FBI is pushing for greater access to people's lives via its e-mail peeping system Carnivore. (See "Carnivore Bites")

Critical Mass

But the deployment of increasingly sophisticated technology in the workplace, in public, and across the Internet has galvanized public concern. "Computers and communications make it possible to monitor people in ways that they would never, ever expect it and would have never put up with before," says Richard M. Smith, chief technical officer of the Privacy Foundation.

A recent survey by the nonprofit Pew Internet & American Life Project says 86 percent of Internet users favor opt-in privacy policies that require companies to ask for permission before using personal data. And 54 percent of the Net users surveyed believe that it is an invasion of privacy for Web sites to track visitors. In a May report, Forrester Research predicted the issue will prompt "an excruciating series of fights" and that "the battle over Internet privacy will play out in two rounds of legislation—one in 2001 and another in 2005."

Among businesses, the fear in the air is palpable. American Express, AT&T, Citigroup, Excite@Home, Double Click, Prudential Insurance, and U.S. Bancorp, to name a few, have all recently hired privacy officers—a career option that barely existed a year ago—to chaperone the data collected from online and offline customer interactions. And the Direct Marketing Association, in conjunction with at least a dozen major companies including Dell and IBM, has proposed spending $80 million on an ad campaign to educate consumers about the joys of data collection.

At stake, according to Josh Isay, director of public policy at Double Click, is the future of business on the Net. "The Web is advertising-driven and free, by and large, to consumers," he says. "If Internet advertising is not effective, if it's not targeted to consumers' interests, then advertising revenue will fall and Web sites will either go out of business or charge consumers."

To forestall legislative restraint, 11 of the leading Web advertising networks, including 24/7 Media, DoubleClick, and Engage, formed a group called the Network Advertising Initiative (NAI) and put forth a set of principles for self-regulation. Says Isay, "We think that this tough-but-fair agreement protects consumer privacy while at the same time allowing Internet advertising to thrive and the Web to remain free."

Free Rein

Privacy advocates naturally take a different view. Andrew Shen, a policy analyst at the Electronic Privacy Information Center, says, "The NAI guidelines are basically a wish list for the network advertisers." He contends the rules would allow Internet advertisers to link personal data—names and addresses—with anonymous online activity profiles, which is essentially what got DoubleClick into trouble last year. Isay maintains that "DoubleClick has no plans to link names or personally identifiable activity across sites."

Though the FTC supports the NAI guidelines, it also has called for legislation—hardly a vote of confidence in the industry's ability to police itself. "The commission has taken the position that for the Internet to succeed as a marketplace, businesses need to respond to consumer concerns," says Dana Rosenfeld, assistant director of the FTC's Bureau of Consumer Protection. "For that reason, the commission has advocated self-regulation by the industry to address consumers' privacy concerns. More recently . . . we issued a report suggesting that although self-regulation is important, what we really need now is legislation to set some baseline standards for what Web sites need to do to protect consumers' privacy."

There are compelling arguments for criminalizing the sale of Social Security numbers to protect against identity theft, and for restricting the dissemination of medical data to guard against discrimination by insurers or employers. But does tracking online activity pose the same potential for harm?

Shen says he thinks it does. "What if you just bought a book called Living with AIDS?" he says. "That's not medical data per se, it's just a record of a transaction. It nonetheless indicates very sensitive information." Doubly so, considering the watershed change to Amazon.com's privacy policy in September, whereby the company stated its intention to treat customer information as a saleable business asset while eliminating opt-out provisions.

For Catlett, the issue goes beyond harm: "It's a question of personal autonomy and of the right of people to determine whether information about them is distributed."