When the good go bad

It’s a crazy time, no? The U.S. Federal Bureau of Investigation is busy implementing an open-everybody’s-e-mail project called Carnivore. Toys R Us Inc. sent customer information to a third party after promising it would be kept confidential. Web businesses of every kind are surreptitiously tracking their customers.

Meanwhile, at their annual convention in Las Vegas, hackers were preaching the gospel of better security and privacy and calling on would-be Internet juvenile delinquents to act more responsibly.

How crazy is that?

OK, let’s be clear about this: The hackers haven’t turned the Def Con convention into a high-tech church picnic. The attendees reportedly set off smoke bombs, dumped bubble bath into Jacuzzis and poured concrete down toilets.

But there were also days of presentations on security holes and how to plug them, and warnings about the limits of new security technologies such as biometrics. And yes, members of the Cult of the Dead Cow (of Back Orifice fame) really did appeal to young hackers to stop vandalizing Web sites, and other speakers encouraged a learn-and-move-on approach instead of using holes that hackers uncover to cause problems.

That’s what the bad guys, your worst nightmare, are pushing these days: security, privacy and responsible behaviour. Crazy, huh?

And what are the good guys promoting? Doubletalk, legalistic evasions and sneakiness.

Yes, the FBI swears its Carnivore e-mail surveillance system will examine only messages to or from suspected criminals. But we all know they’ll have to scan at least parts of every message the system encounters. They’re still opening everyone’s mail.

Yes, Toysrus.com says it meant no harm when it gave application service provider Coremetrics Inc. access to its customer data. But regardless of whether that action was harmful, Toysrus.com’s on-line privacy statement said the data wouldn’t be shared with third parties. Period. (That privacy statement has since been amended to state, “We may also utilize a service provider to assist us in aggregating guest information. We may then share such aggregate information with prospective partners and advertisers.”)

And yes, we all justify the cookies and invisible GIFs and JavaScript and other techniques we use to spy on our customers to squeeze more data out of what they do on the Web. We like to tell ourselves that our customers don’t mind these invasions of their privacy – it’s just, well, what you do on the Web.

But if we really believe they don’t mind, why do we go to such great lengths to be sneaky about how we collect that information?

There are two likely answers to that question. One is that we don’t believe it: We’re just lying to ourselves so we don’t feel guilty.

The other is that we really haven’t thought about whether any of this is really a good idea. We can do it – other people are doing it – so why not?

But we should think about it. If we don’t, we’re as irresponsible as any pimply-faced hacker wanna-be who ever launched a virus or brought down a Web site without even considering the consequences – just because he could.

Look, customers do business with us because they trust us. They want to trust us. They’d prefer to trust us. We’re the good guys, remember?

But if we lie to them or spy on them and then give them a lot of doubletalk and improbable excuses, they’ll stop trusting us. And they’ll stop doing business with us. It’s that simple.

If we don’t take their privacy seriously – as seriously as customers themselves take it – we’ll drive them away, demolish our credibility and destroy our businesses.

And how crazy is that?

Hayes, a Computerworld (U.S.) staff columnist, has covered IT for more than 20 years. His e-mail address is frank_hayes@computerworld.com.