The response is also a reflection that privacy and security are fundamental to consumer acceptance of e-commerce.
Among those with a failing grade, I have noticed that responsible and well-meaning organizations sometimes cross the line to collect or use personal information in inappropriate ways.
For example, I noticed one site that asks for information about year of birth and gender. Provision of the information about gender is mandatory in order to take advantage of the site’s services, as the site owners believe this information is necessary and useful to understand the demographics of their customers. Be that as it may, it is inconsistent with all privacy codes to make the provision of personal information a condition of service when the personal information is not required for the actual provision of that service.
In another example, a training site claims in the contractual and employer benefits sections of their site that they will make information about your course registration and the course descriptions that you have browsed available to your employer. There might be certain circumstances where this disclosure is appropriate. For example, the employer may be paying for the course and the employee may be collecting her salary while attending the course. However, this same disclosure would be a serious invasion of the individual’s privacy for those students that are taking the course without employer support. Those individuals may be gaining expertise in technology that is not used by the employer. In those cases, the assumption by most employers would be that the individual is preparing to change jobs. But the actual reason doesn’t matter – the Web site has no business disclosing the information to the employer without the individual’s consent.
In yet another example, a Web site claims to conduct surveillance of their system using authorized systems administrators. No reason for the surveillance is given. I have previously commented on surveillance (please see “Think carefully before venturing into surveillance territory,” CWC, June 4, 1999, www.itworldcanada.com/cw/archive/cw15-11/cw_wtemplate.cfm?filename=cw1511o3.htm). In that case, there was even less justification for surveillance because there is no employee-employer relationship as discussed in that column.
I’m not suggesting that businesses are setting out to develop privacy-hostile practices; they just seem to get caught up in a race to leverage information without first considering the privacy implications. Web site owners need to improve their understanding of privacy and to conduct formal privacy reviews to avoid situations as noted above. This is especially true if they are to avoid contravening the proposed private sector privacy legislation.
Boufford, ISP, is president of e-Privacy Management Systems Inc., a consulting firm specializing in privacy and IT in Lakefield, Ont. He is also a national board member of the Canadian Information Processing Society. He can be reached at [email protected] or www3.sympatico.ca/john.boufford.