IS 209, Fall 2001

Focus Group: Effect of Media on Public Perception

Sub-topic: News Media Interpretations of Privacy Issues


Here is a small sample of readings on privacy issues in the media; text is below on this same page. These articles show a couple of different perspectives on the notion of privacy as it's protrayed in recent news media, specifically issues related to interactive television, privacy of data on the Internet, and medical information.

I haven't included articles related to the effect of the Sept. 11 attacks in this set because that topic entails more issues than just media perception of privacy. We can look at those separately if the group wants to.

--Jennifer


References:

1. Teinowitz, Ira. Media group targeting iTV; Watchdog charges data collection via medium is a threat to privacy. Advertising Age v. 72 (July 9, 2001):9.

2. Medical privacy rules ignore public interest, news media's role. Quill v. 89 (Jan, 2001): 4.

3. Gussow, Dave. Privacy vs. convenience. St. Petersburg Times, South Pinella Edition (May 14, 2001): 10E

4. Sanders, Edmund. Privacy cases not yielding much payoff; consumers: with laws predating the Internet, suits alleging misuse of personal data don't have much legal ground to stand on. Los Angeles Times, Sunday Home Edition (May 6, 2001): part 3, page 1.


Text

1. Teinowitz, Ira.   Media group targeting iTV; Watchdog charges data collection via medium is a threat to privacy. (Center for Digital Democracy) Advertising Age v72 (July 9, 2001):9.

COPYRIGHT 2001 Crain Communications, Inc.

Opening a new front on the privacy battle, a consumer group says it's not just the Web that marketers will be using to gain personal information and profiles about consumers. Interactive TV is the new villain.

In a 31-page report, the Center for Digital Democracy, an offshoot of the Center for Media Education, warned that media companies intend to use iTV to gain detailed personal information to target individual consumers.

The report urges that hearings be held to examine detailed technical analyses of the data collection, data mining and advertising practices'' of companies in the industry.

The model that these companies are following combines the worst aspects of the Internet and mass media, as the new systems are being designed to track not only every activity of users as they surf the Net, but also the programs and commercials they watch,'' said the group's report, calling iTV data-collection practices a new threat to personal privacy in America.''

The report (http://www.democraticmedia.org) mentions systems coming from AT&T Corp., Microsoft Corp., Scientific-Atlanta, ACTV, AOL Time Warner's America Online, TiVo, Cisco Systems, Gemstar-TV Guide International's TV Guide Interactive and Megabyte Networks.

While privacy groups criticizing marketers may be no surprise, the Center for Digital Democracy report may offer new worries for marketers given the success of some people behind the report in crafting public policy.

The Center for Media Education's series of studies on kids and the Internet-reporting that marketers were asking kids for family information without asking parents' permission-prompted the Federal Trade Commission to hold hearings and eventually helped lead to enactment of the Children's Online Privacy Protection Act.

More recently the group's executive director, Jeff Chester, was involved in a fight over America Online's purchase of Time Warner, successfully pushing the FTC to require that AOL provide open access for iTV.

The latest report, which Mr. Chester said was researched by attending industry conferences and looking at company materials and analysts' reports, suggests a dark vision of media companies' plans.

Information gained from set-top boxes will be harvested in data profiles, which will then be used to target individual consumers,'' the report said. Every show watched, every ad viewed, every click and every download becomes fodder for the compilation of data and creation of user profiles.''

The information will not only be stored, but could be available to marketers in ways that come close to violating federal law, the report claims, noting a federal law barring cable TV companies from collecting information about users' viewing habits without permission. The same technologies that threaten privacy on the Internet ... are now being adopted by the U.S. television industry,'' the report said.

The group's report calls on the FTC and Federal Communications Commission to hold hearings and investigate the iTV industry, and it calls on Congress to mandate action.

Ben Isaacson, executive director of the Association for Interactive Media, called the report mostly fictitious,'' saying some of the feared actions are against the law and the threat'' that advertisers will target individual consumers is unlikely. He said advertisers' unwillingness to pay much more for targeted ads makes one-on-one advertising economically unrealistic, and he also said advertisers wouldn't take actions that would rile consumers.

We feel there is no need for consumers' concern,'' Mr. Isaacson said, adding the industry has been working on privacy policies to further assure consumers. Mr. Chester, while acknowledging the study may present the possibilities for iTV in a worst-case Frankenstein's monster'' scenario, said the report just explains what the companies have said. I am holding a mirror back to the industry,'' he said, and they don't like what they see.''


2. Medical privacy rules ignore public interest, news media's role.(Brief Article) Quill v89, n1 (Jan, 2001):4.

COPYRIGHT 2001 Society of Professional Journalists

New federal rules protecting the privacy of individuals' medical records say nothing about the value of providing information to the public, according to the Society of Professional Journalists.

The rules also do little to case media concerns that even routine information on patients will become unavailable, even when the public has a legitimate right to know information because of safety or health concerns.

SPJ believes the rules do not recognize the public's need to be informed about health impacts from crimes or accidents that must be reported to government health, law enforcement or regulatory agencies.

The rules were announced Dec. 20 by the U.S. Department of Health and Human Services following a four-year process that brought more than 52,000 comments from the public. They will become effective in 2002.

SPJ was among the journalism organizations that submitted comments after the draft rules were released in the fall of 1999.

Among SPJ's concerns were that the draft rules prohibited virtually all releases of patient information without patient consent and that harsh penalties for unauthorized releases would make hospitals withhold information, even when such releases are allowed, as in cases of public health emergencies.

SPJ had suggested that the final rules include provisions allowing for the release of "public record information" about patients. "Public record information" would include general information on certain categories of patients, including:

* people in police custody or who are transported to the hospital by public safety entities.

* people injured in violent crimes or accidents that are reportable to federal or other public agencies.

* public officials who are hospitalized.

The Society's suggestions did not make it into the final draft of the rules, which now must be reviewed by Congress.

"I'm disappointed that our suggestions were rejected," said Ian Marquand, the Society's Freedom of Information Committee chairman and special projects coordinator for the Montana Television Network. "Our suggestions were well-reasoned and were consistent with accepted current practices."

The final rules do allow for unauthorized disclosure of patient information for "national priority activities" such as "emergency circumstances" or "public health." But in SPJ's view, those guidelines might be inadequate to insure that citizens get the information they need in a timely way through the media.


3. LEXIS-NEXIS® Academic Copyright 2001 Times Publishing Company St. Petersburg Times May 14, 2001, Monday, 0 South Pinellas Edition SECTION: BUSINESS; FADING PRIVACY; Pg. 10E LENGTH: 2200 words HEADLINE: Privacy vs. convenience BYLINE: DAVE GUSSOW

BODY:The world knows a lot about you, more than you might think. And you're the one leaving a trail of personal information as you travel the Web.

It starts from the moment you go online: Your Internet service provider assigns you an Internet protocol number, a series of numbers that acts like an address in the online world. (For example, 123.45.56.7890.) You might think it doesn't give away much about you. You'd be wrong.

You provide more clues as you go. You enter your ZIP code to find a restaurant or get a customized weather map. You type your birthday into an online form when you register to use a site. You provide your e-mail address for an early warning when your stocks take a dive. You reveal your interests by the pages you visit and how much time you spend on each. You don't even have to click on something; the Web knows. Individually, you may not think these tidbits give away much that's useful. But marketers are collecting this information, adding things up and creating formidable databases that connect the dots.

Americans worry about their privacy, according to most polls. Yet we can be careless with personal information or willing to give it up for the flimsiest freebie.

Technology has taken the gathering of personal information to a new level, allowing companies to take data gathered from traditional sources, such as public records and product warranty cards, and combine those with data collected online. That paints a much more complete picture.

"People do not understand the nature of privacy," said Winn Schwartau, a nationally known Internet security expert from Seminole. "Most of us are already in the computers. We need Congress to give us our privacy back and mandate that electronic privacy is part and parcel of what we should have." The Web is not a one-way street for information.

When you click on a site, your personal computer is talking to a Web server, which recognizes the PC from the Internet protocol number. The Web server sends back the requested information, and, in the process, often adds a hidden extra. It's called a cookie, a small text file used to identify the personal computer if it returns later.

Starting with the Internet protocol number, sites can use technology that tracks that number back to your Internet service provider or, say, where you work, often providing at least a clue about where you live. It can tell how long you linger on a Web page and what items you click on.

But you don't have to register, click on an ad or do anything more than visit a site to be tracked. The cookies can follow you as you surf from site to site. Ads placed on hundreds of sites by companies such as DoubleClick can recognize a computer, track where it goes and tailor marketing to that computer user's interests.

It doesn't stop there. Send an electronic greeting card to a friend or family member and you've given away a couple of e-mail addresses. Use your mother's maiden name or other family information as a "security" measure when you register at a site. Sign up for a sweepstakes and provide information to enter. Visit a chat room using your real name and giving a lot of personal detail. "Put all those pieces together and you have electronic identity theft," Schwartau said. "Why is Amazon.com going to care about my exact birthday unless they want to use it for some other purpose? When you go into a physical store, it's a nonissue. They want your money."

The arguments about collecting personal information on the Web boil down to this: Consumers enjoy free things on the Web because advertising pays the way, marketers say. If consumers want the free ride to continue, companies need data to make their advertising effective. If consumers don't want to give up any personal information, they can decline, or "opt out," of accepting cookies and other data-gathering devices, the industry says.

Hogwash, privacy advocacy groups say. Web sites and marketers are collecting data without telling people, nor are they giving a clear explanation of how the information will be used. Consumers should have the right to choose, or "opt in," before anything personal is made available.

"A lot of businesses view privacy as something that gets in the way of a relationship between a business and consumer," said Gary Clayton, chief executive of the Privacy Council (www.privacycouncil.com). "They need to manage that relationship with a customer in a way that they're good stewards of the data. It doesn't mean they can't direct market. It doesn't mean they can't use it in partnerships."

The council works with businesses to develop effective privacy policies, based on what it calls a consumer-friendly point of view. And Clayton isn't shy about criticizing practices he calls misleading, including long, legalistic privacy policies that are posted on many Web sites. "Consumers don't read all the fine print," Clayton said. "And most businesses know that."

But the consumer has a responsibility to know how the Web works, argues Lon A. Berk, a lawyer at the Shaw Pittman firm outside Washington. At a recent seminar in Tampa put on by the Stetson University College of Law, Berk posed this question: "Is there really an expectation of privacy on the Internet?" Most people don't take steps to block cookies or protect personal information online, Berk says. By not doing so, they are participating in a two-way communications process where they get the information they're seeking on the Web and the sites learn more about their visitors.

"Many users seem to object to a Web site's tracking their use through cookies," Berk said. "But the efficiency of their transactions on the Web site is the result of the information provided by these cookies. Given this, how can it be reasonable to expect that cookies will not be used?"

Some of the deepest fears about privacy on the Web concern the possibilities of online fraud and other crime. But few Internet users have been victimized. Less than 3 percent of Internet users have lost credit card information online; only 3 percent say they have been cheated in an online purchase; and only 4 percent have felt threatened. Nonetheless, stories about fraud, hackers and identity theft, which has been called the fastest-growing white-collar crime, raise concerns about losing personal information.

Tips from the experts: Think about the information you're going to enter on a Web site and don't go beyond what's requested. Don't use your real name in a chat room. Don't be too open in chat rooms. Set up an alternative e-mail address. Deal with businesses you're familiar with or take steps to verify that a site is legitimate, such as by calling posted phone numbers.

"I still think you can have a relatively meaningful experience without using things that will identify you," said Les Seagraves, chief privacy officer for EarthLink (www.earthlink.net), an Internet service provider.

Privacy worries also are creating opportunities for businesses such as Privista (www.privista.com), a New York company that offers information security services to consumers. "What consumers are saying," Privista chief executive Eric Gertler said, "is "I want to engage in online commerce. I just don't want to do it with the potential that my identity will be stolen and my information will be bought and sold, and there can be credit card fraud. I want to know that companies respect me.' "

Privista has signed up 10,000 subscribers in 10 months for services that include its free Opt-Out Manager, which promises to reduce telemarketing, direct mail and e-mail pitches; ID Guard, which costs $ 19.95 a year and sends subscribers e-mail alerts if there is suspicious activity concerning their credit report; and Credit Insight, a $ 29.95 product that gives your credit rating, access to your credit report and the ID Guard service.

Despite the Web's Wild West reputation, crimes such as identity theft are more likely to occur the old-fashioned way: mail stolen from real mailboxes, personal papers tossed into the garbage or businesses carelessly throwing out records, according to Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "Consumers can reduce their chances, but there's not a thing they can do to totally prevent" misuse or theft of their information, Givens said.

The phone book contains a few key facts about you: name, address and number. "I'm one of a zillion people with telephones," said Andrew C. Greenberg, a partner in the Carlton Fields law firm's Tampa office. "I can't be distinguished from them. I'm fairly safe and anonymous in the numbers."

Other sources have more information that's far more useful, says Greenberg, the past chairman of the Florida Bar's Computer Law Committee. The government, for one, collects a lot of information. And while the Florida Constitution guarantees people a right to privacy, it also says government records are public. If you buy or sell property, if you own a pet, if you have a business, if you get married, a lot of information is available for all to see.

Government agencies are moving those records online, where it's more accessible to the public and to companies looking for information. Add data gathered through marketing efforts and throw in your online profile and a picture begins to emerge. "These things can be combined in ways they've never been done before," Greenberg said. "The economics are no longer prohibitive to get good detailed information about you."

That information is worth a lot, too. When online retailer Toysmart filed for bankruptcy, its most valuable asset was its customer list. It took the Federal Trade Commission to get an agreement that the list and personal information customers gave to Toysmart would be safeguarded by the new owner.

Other companies have tried, or are planning, other methods to gather information that worry privacy advocates: +Microsoft unveiled "Hailstorm" this year, part of its vision of a future where people are connected by phone, gadget or PC anywhere they go. It will start out as an elaborate message system that will send text messages to computers, pagers, phones and other devices. Hailstorm would expand in future years with users providing more personal information, stored on a Microsoft server, so the system can learn personal preferences and know when to interrupt someone with a message alert.

Microsoft promises that it won't mine the personal data for marketing and swears that it won't have security problems as it has in the past. But privacy advocates scoff. "Microsoft has got it in their head that if they tell everyone what they're doing with their data, it's okay," said Marc Rotenberg, director of the Electronic Privacy Information Center, a public interest group. "But the real key to online privacy is to try to minimize the collection and use of data." +

Online auction site eBay said it might sell customers' personal information if it merges with another company, despite a promise to keep the data private. The new privacy policy outraged privacy advocates. +Amazon.com started an "honor system" this year to allow people to donate money to Web sites they enjoyed, suggesting the move would help financially struggling companies. But Amazon controlled the system and could track where its customers visited, though it denied it would do so.

+DoubleClick dropped plans to combine its online and offline databases, but won a court ruling this year that upheld its right to place cookies on computers. It says it is taking more steps to protect personal information, though privacy advocates are skeptical.

All of this comes down to a choice for consumers, attorney Greenberg said. "People would like some control over their personal information. They would like to be able to bargain with business. "I will fill out this form and give you information that is personal to me if you promise not to do certain things.' "

Although Greenberg agrees that a lot of information is already out, he rejects the notion that it's too late to reclaim online privacy. "Information does get stale rather quickly," Greenberg said. "If people do get protective, eventually they will have more privacy than they do today."

Information from Times wires and files was used in this report. Dave Gussow can be reached at gussow@sptimes.com or (727) 445-4228.

Here are Web sites of some of the organizations involved in the privacy debate:
Junkbusters www.junkbusters.com
Cookie Central www.cookiecentral.com/
Electronic Privacy Information Center www.epic.org
Federal Trade Commission www.ftc.gov/privacy
Center for Democracy & Technology www.cdt.org/
Electronic Frontier Foundation www.eff.org/
Network Advertising Initiative www.networkadvertising.org
Online Privacy Alliance www.privacyalliance.org
Privacy Rights Clearinghouse www.privacyrights.org
Privacy Times www.privacytimes.com

Some examples of companies that offer privacy protection services:
Anonymizer www.anonymizer.com
IDcide www.idcide.com
Privada www.privada.com
Privista www.privista.com
ZeroKnowledge www.zeroknowledge.com

LOAD-DATE: May 15, 2001


4. LEXIS-NEXIS® Academic Copyright 2001 / Los Angeles Times Los Angeles Times May 6, 2001 Sunday Home Edition SECTION: Business; Part 3; Page 1; Financial Desk LENGTH: 1486 words HEADLINE: Privacy Cases Not Yielding Much Payoff; Consumers: With laws predating the Internet, suits alleging misuse of personal data don't have much legal ground to stand on. BYLINE: EDMUND SANDERS, TIMES STAFF WRITER DATELINE: WASHINGTON

BODY: Not long ago, invasion of privacy looked as if it might follow in the legal footsteps of securities fraud, tobacco deaths and exploding tires as a source of multimillion-dollar court judgments for consumers doing battle with giant corporations.

Instead, consumers suing over alleged misuse of their personal information have suffered a string of courtroom setbacks and paltry settlements. Based on several pending out-of-court deals, the going rate for corporate invasions of personal privacy appears to be about $50 a pop, hardly the gold mine predicted by class-action attorneys.

DoubleClick Inc., an online ad firm, got its privacy lawsuit tossed out of federal court. RealNetworks Inc. forced its litigants into arbitration. Amazon.com Inc. settled for far less than consumers originally sought. Corporations have benefited from the fact that most privacy law protects citizens against invasions by the government, not by business. And much of the case law on the subject dates back 50 years, long before the Internet and other technology gave companies new tools to collect and use personal information about consumers.

With Congress still unsure about the need to strengthen privacy protections, plaintiffs' attorneys are resorting to creative legal arguments. "You have to stitch and quilt existing laws to make it work," said Evan Hendricks, a Washington privacy advocate. "It's not clean and it's not easy." A New York federal judge unraveled the latest product of such legal stitching March 30 when she dismissed a privacy class-action suit against DoubleClick.

Plaintiffs argued that the firm's use of cookies--small files placed on an individual's computer to store personal data--violated criminal wiretap and computer hacking laws. DoubleClick countered that the laws, which were originally crafted to protect against hacking and e-mail spying, should not apply to privacy cases.

The federal statute at the center of the case, known as the Electronic Communications Privacy Act, has caught the attention of privacy class-action attorneys because it calls for fines of as much as $10,000 per violation. Because Internet firms such as DoubleClick have installed millions of cookies, damages could reach hundreds of millions of dollars.

But District Judge Naomi Buchwald refused to apply the wiretap statute to the DoubleClick suit and dismissed the case before trial. Plaintiffs are appealing.

The ruling does not bode well for similar cases brought in federal courts nationwide based on the same statute, including suits against Web advertisers Avenue A Inc. and MatchLogic, a unit of Excite@Home.

"It's a mistake for plaintiffs' attorneys to believe that they've struck gold in privacy," said Alan Westin, a privacy expert and business consultant. "The courts have been very careful in their decisions. I don't see any home runs for class-action attorneys so far."

Westin's research firm, Privacy & American Business, is tracking 57 consumer privacy cases in state and federal courts. He expects many to end in settlements out of court.

Alexa Internet, a unit of Amazon.com, revealed last week that it had agreed to pay up to $40 each to consumers who could demonstrate that their personal information was improperly gathered by the company. Alexa distributes software that monitors Internet surfing and then recommends related Web sites that might be of interest to users.

But a preliminary survey found that less than 5% of the class of victims would qualify for the payments or bother to make a claim, according to an attorney familiar with the case.

Minneapolis-based U.S. Bank was sued in 1999 for selling customer data to a telemarketer. Under a proposed settlement, payouts would range from $25 to $400 per customer, although most are expected to be less than $50. Consumers have not received their checks because attorneys are wrangling over fees, which could reduce how much consumers get.

Other companies have rebuffed privacy suits by invoking arbitration clauses.

RealNetworks, which was accused of using software that secretly collected information about users' music-listening habits, convinced a federal judge that its standard software licensing agreement, which users must accept before downloading the program, required that disputes be settled by arbitration.

Companies prefer arbitration because it is usually confidential, often yields lower payouts and does not permit class-action status. Now AOL Time Warner Inc., whose Netscape browser unit is battling its own privacy suit, is hoping to use the same strategy to push its pending cases into arbitration.

Though consumer payouts for privacy invasion have not been substantial so far, Westin noted that class-action attorneys themselves are reaping large fees. For example, fees in the U.S. Bank case are expected to top $1.25 million. Plaintiffs' attorneys for Alexa users are set to receive $1.9 million.

Class-action attorneys and privacy advocates concede that they are off to a bumpy start. But if they have not won large monetary awards, they argue that they are forcing businesses to improve their privacy protections.

"As a result of these cases, Web users' privacy has been increased and additional protections have been put into place," said Adam Levitt, a Chicago attorney representing DoubleClick, RealNetworks and Amazon plaintiffs.

In addition, privacy advocates can point to a handful of promising legal cases, including a recently certified class-action suit against CVS Corp., a drugstore chain. The suit was filed by an AIDS patient after CVS bought his local pharmacy and disseminated his prescription records to CVS stores nationwide without his permission. CVS says it broke no laws.

Another widely watched case, based partially on invasion of privacy claims, is in the final stages of a settlement that could yield $15 million for as many as 23,000 consumers nationwide.

The suit, filed in Texas, was spurred by Beverly Dennis, an Ohio woman who received a consumer questionnaire from information broker Metromail, which offered to compensate Dennis for her participation by sending free coupons. Instead, Dennis received a threatening, sexually explicit letter from a convicted rapist in Texas, one of many prisoners used by Metromail to input the survey data into computers.

Dennis sued Metromail, now part of Orange-based credit bureau Experian, for invasion of privacy, fraud and negligence.

But such a large settlement is more an exception than the rule, said her attorney, Michael Lenett. Not only were the circumstances of the case unusually shocking, but the prisoner's letter also provided tangible evidence of the harm caused by the invasion of Dennis' privacy.

"Most of the injury in privacy cases is emotional and intangible," Lenett said. "It's hard to prove actual harm." Setting a price tag on that kind of injury remains elusive. Unless consumers are the victims of fraud, embarrassment or identity theft, they have difficulty showing injury from the collection and use of their Web-surfing habits, the sale of their bank records to a telemarketing firm or the sharing of pharmacy records with affiliated drugstores.

Attorneys Turn to State Laws

The lack of specific privacy invasion statutes is another stumbling block for consumers. Most federal privacy laws were adopted in the 1970s and restrict government use of information about citizens, not commercial use. In most cases, enforcement rests with federal agencies, not private citizens.

As a result, many class-action attorneys are turning to state courts, where there are more established consumer protection laws dealing with invasion of privacy, breach of contract, deceptive business practices and trespassing. DoubleClick still faces state lawsuits in California and Texas.

But even state laws related to invasion of privacy were written to address such things as improperly using a celebrity's likeness and portraying someone in a false light, not collecting or selling personal information.

"We urgently need laws that address the collection of data on the Internet," said Jason Catlett, president of Junkbusters, a privacy advocacy group. Even business might benefit by having a clearer idea of which practices are appropriate and which cross the line.

Companies say they are highly concerned about losing the trust of consumers over their privacy practices and worry about the negative publicity that privacy lawsuits generate. "Companies react strongly to public attention," said Jules Polonetsky, chief privacy officer at DoubleClick, whose stock declined and customers dropped after its privacy controversy.

Nor is the courtroom battle over. "All it takes is one judge or one jury," Westin said. "Most the cases are still pending. . . . No company wants to become the poster boy" for invading privacy.