Some big computer out there knows all about Joan Schram. Its massive memory has stored the birth dates of family members and friends, the fact that she drives a Ford Explorer, and the names and birth dates of her American shorthair cat and rare Brazilian fila dog.
And she's thrilled about it.
Schram gave out the information herself, answering screen after screen of personal questions from LifeMinders Inc., a Herndon-based company that collects such data from consumers and e-mails them information in return--reminders of important dates, tips on when it's time to treat the cat for ticks, and news and advertising targeted to their interests.
But like many Americans, the Kennedy Center employee also says she's uncomfortable with the thought that when she goes online, other Internet companies could be monitoring her wanderings and gathering the same kind of personal information that she freely gave over to LifeMinders. If somebody else knew about her Explorer, she says, "I'd be a little disconcerted."
It's one of the more puzzling conundrums of online life. While companies that capitalize on the Internet's powerful potential to invade privacy are denounced as villains of the information age, millions of people type out highly personal data and send it off to Web sites they've barely heard of, with no strong legal protection against misuse of the information.
The paradox helps illustrate the complexity of the debate over privacy, and the difficulties facing regulators and policymakers who are trying to promote security for Web users without braking the economic growth of the new medium.
Personal data is pure gold for advertisers eager to target their pitches efficiently and effectively, and the Internet has opened huge opportunities for marketers at the same time that it has created new privacy risks for consumers.
LifeMinders is the leader in the sector it calls online direct marketing, having quietly signed up 18 million members since the company was founded in June 1996. That gives it one of the largest online consumer databases.
Consumer databases play a key role in the debate among policymakers, regulators and privacy activists that has led to plans for tougher laws protecting online privacy. DoubleClick Inc., for example, a company that tracks Web surfers' comings and goings online in order to learn enough about them to serve up targeted advertising, has come under the scrutiny of the Federal Trade Commission and several states. The controversy led DoubleClick to postpone plans to merge its online data with a vast warehouse of information collected by an acquired company, Abacus Direct, on catalogue shopping habits.
DoubleClick, 24/7 Inc. and similar companies gather data automatically when a user visits a Web site, almost always without notifying the person or obtaining consent. The companies argue that they are not violating privacy because most of the information is collected anonymously--that is, they say they don't keep individual records with personally identifiable data without getting permission first. Still, users who want to "opt out" of the system must find the fine print on the Web site in order to learn how to remove themselves.
Companies such as LifeMinders and New York-based NetCreations Inc.--a similar firm that has signed up 9 million members--have avoided a privacy backlash because members "opt in." The result: LifeMinders' hundreds of Dell servers are filled with tidbits about millions of lives. "You give us information about yourself and we give you a great product in return," said the chief executive, Stephen R. Chapin Jr.
The company reassures members that it respects their privacy; its Web site states, "LifeMinders.com does not share member information with third parties without permission." But such promises are not always immutable. In July, the FTC filed suit to block the sale of customer lists of Toysmart Inc., a bankrupt e-retailer that also had promised never to share its data with third parties.
For its part, DoubleClick says that it is in fact offering consumers plenty of power to say no to its practices. "DoubleClick is committed to giving consumers real notice and choice," said Josh Isay, the company's Washington representative. "We believe that the appropriate standard for marketing purposes is an opt-out."
The advantages that flow from the kind of targeted ads DoubleClick serves up to Web site visitors, he said, outweigh the privacy concerns. "Consumers and Web sites benefit from customized ads that contain information about relevant goods and services; we believe that an opt-out standard allows for this, will keep the Internet free and will empower consumers to choose whether or not they wish to participate," Isay said.
Volunteers, Step Forward
The immense voluntary audience of LifeMinders is a juicy target for advertisers, who pay the company to have their products and services pitched as part of the 50 million informational, personalized e-mails that LifeMinders sends out every week.
Before founding LifeMinders, chief executive Chapin ran mass mailings for credit-card companies, where he says he picked up ideas about collecting information about people gently. "If you want to be reminded about information about your pet, you have to tell us his breed," Chapin said. "That makes sense to consumers."
Chapin and other veterans of the $176 billion direct-marketing industry who came with him to LifeMinders say they learned that while everyone gripes about junk mail, people like getting information they can use. Personalization is the difference between a missive being useful or being junk, said Dave Mahoney, the company's chief operating officer.
"As soon as we know how many objects you have in the family category--as soon as we know that you have a female child who's 5 years old--we can target that information back to you very specifically," with tips on child raising and age-appropriate books and gifts, Mahoney said.
Jack Biddle, a venture capitalist with Novak Biddle, which has invested heavily in--and profited mightily by--LifeMinders, points out that by using a time-tested business model of direct mail, the company has avoided many of the pitfalls that have been killing off dot-coms.
LifeMinders has signed up some big-name advertisers, including Pfizer Inc., BMG Music and Home Depot Inc. The company has also in recent months built up an operation that allows other companies to use its technology to send out personalized e-mail: International Business Machines Corp. and the Sydney Olympics have signed contracts with the company to send out as many as 30 million personalized Olympics updates daily during the coming games. The company is also building its capability to send out personalized messages to those tiny screens popping up on newer cellular phones.
LifeMinders has yet to turn a profit, as the company mounts a full-court press to build a huge base of members. The company spends relatively little to attract each new customer--about $3.50 apiece. Yet LifeMinders says advertising income from each customer is about $1.25 apiece every three months, which means that the company begins making money on customers in less than a year, compared with about three years for many credit-card companies and--in the case of many Internet companies--perhaps never.
The company is now spending less on customer acquisition in order to hasten the move to profitability, said LifeMinders President Allison Abraham; losses shrank from $17 million in the first quarter of the fiscal year to $12 million in the current quarter, and the company estimates "we're about two quarters away" from profitability, Abraham said.
The losses at LifeMinders so far, Biddle said, "weren't dot-com kind of losses where you spend a bunch of money to get a customer, and where the customer is worth a lot less than it costs to get him."
Chapin attributes the company's growth to the fundamental idea behind the service, which he compares to the old-fashioned corner shopkeeper: "You used to go in and he'd say, 'I know you want to buy rice today, because you haven't bought it in two weeks.' " An insight like that from someone you know and trust is comforting, Chapin suggests--while the same statement from a stranger is creepy.
But for most people, LifeMinders is hardly the corner shopkeeper, or a long-trusted brand name with a track record. So why would Schram and so many others gladly offer up details of their lives?
Schram says she has given over information to LifeMinders because she feels that she has a relationship with the company. Would she give her name, address and dog's birthday to someone who walked up to her in the mall, clipboard in hand? Would she divulge it in an online conversation with a stranger? "No," she said. "Probably not."
Austin Hill thinks he has one possible explanation. Many Internet users feel an intimacy with their machines that gives them a comfort level in the seeming privacy of their living room and in their pajamas that they would never feel on the street, said Hill, who is chief executive of Zero Knowledge Systems Inc., a Montreal company that provides privacy-enhancing tools for Web surfers.
Yet anonymity is actually far harder to achieve in the online world than in the real one, said Patricia Wallace, executive director of the Center for Knowledge and Information Management at the University of Maryland. "In the store, you can choose to be anonymous," said Wallace, author of "Psychology of the Internet." "You can carry a lot of cash, refuse to respond when you're asked for your address and Zip code. Online you must use a credit card, and you will reveal a great deal of information about yourself."
Based on public opinion polls alone, a business such as LifeMinders wouldn't seem to have a bright future. A recent report by market research firm Forrester Research Inc. indicated that two-thirds of online shoppers feel insecure about exchanging personal information over the Internet. A Harris survey found that 92 percent of consumers are concerned (and 67 percent are "very concerned") about the misuse of their personal information online.
But Hill argues that no matter what consumers say about their values, people generally won't give up convenience to protect that privacy. "Ask people 'Are you concerned about the environment?' and they'll say 'Yes.' 'Are you willing to give up your gas-guzzling SUV for an electric car?' 'No.' "
Representatives of many Internet companies will quietly (after ensuring that they will not be named) suggest that privacy activists are out-shouting the majority of Americans, who don't actually worry very much about protecting their personal information.
Some consumers would agree. "It's just too late in our world to be too terribly concerned about how your name is used," says federal employee John Morris, who initially signed up with LifeMinders because "I'm kind of rotten with remembering birthday and anniversaries and stuff" but quickly came to appreciate the flow of information about interesting Web sites to visit. "If I feel like trying to put my fingers in the holes in the dike, well, I don't have enough fingers."
The Government Steps In
Even as some Internet users become more accustomed to sharing personal information online, government regulators are moving to strengthen protections against misuse of the data. The Federal Trade Commission, which has taken the lead role in online privacy since the mid-1990s, had long leaned toward allowing self-regulation of the online world. There have been exceptions: The commission regulates online privacy protections for youngsters under the age of 13 under the Children's Online Privacy Protection Act of 1998, and it will regulate the online privacy of financial-services customers under the new Gramm-Leach-Bliley Act.
But now the FTC is asking Congress for greater authority to generally regulate privacy online, a move greeted with antagonism this summer by the Republican leadership in Congress--and even with some skepticism from the rest of the Clinton administration.
FTC head Robert Pitofsky said he hopes to see a system develop that will marry today's efforts at self-regulation with an appeals process that would defer to a regulatory body. The FTC plan focuses on consumers' knowledge and consent to having information collected as the cornerstone principles of what it calls "fair information practices," which include clear notice of a site's privacy policies, a measure of consent over how the information will be used, the ability to correct misinformation about a consumer, and the kind of security measures that will ensure that a consumer's information is safe from computer intrusion and theft.
While he notes that the FTC's policies are guided by surveys and research, Pitofsky still admits to personal irritation at seeing personal data gathered online "with no notice that this information is being collected--then accumulating it and perhaps selling it to others," he said. "It's a little like your television set collecting information about you as you watch programs and ads, and then selling it."
Lawrence Ponemon, a PricewaterhouseCoopers partner who consults on ethical and privacy issues, said that consumers should be concerned about the uses their information is put to: "I don't think people fully understand the consequences." Companies, he said, need to see the data they collect not as their private property but as assets on loan from the consumer--like a bank account--that creates a fiduciary obligation.
One change is on the way. An international standards group called the World Wide Web Consortium is readying Platform for Privacy Preferences (P3P), a long-awaited system that incorporates Internet surfers' privacy requirements automatically into the Web browser so that Net surfers don't have to read long, confusing privacy policies on every Web site. The industry-led initiative was formed to build privacy protections into the browsers that people use to cruise the Web. The P3P initiative calls for adding cues to Web sites that describe what the privacy policies are in a way that the browser can present the information in the course of surfing--that is, a warning will pop on-screen if the site doesn't meet the minimum privacy-protection standards that the user demands.
Once the system is in place, its advocates suggest, Web sites will strive to ensure that their policies qualify for the highest possible privacy rating--represented in current versions of the system as a green light. Once those policies are in place, however, the FTC could move to compel compliance with them, as it did in the Toysmart case.
Mary Culnan, a professor at Georgetown University's business school and a consultant to the government on privacy issues, said online protections could end up stronger than those governing traditional direct mailers.
"In the off-line world," Culnan said, "every list is for sale or for rent."