computer_lock Title

Ethical Concerns

Q. Should Internet users be concerned about the privacy of their personal information while online?

A. The degree to which an Internet user should be concerned about their privacy while online depends, of course, on whether or not she ever offers private information, with whom she chooses to share such information, and what types of behavior she is engaging in while online. For example, if an end user only browses the Internet from a computer terminal in a public library and never uses any services that require her to enter any personal information, she need not be concerned; this is suffice to say that Internet users need only be concerned with digital personal information they choose to provide to online merchants.* That being said, however, once a user chooses to share information with a corporation online (for whatever reason), the user is entering into a sort-of contractual agreement in which the corporation can use information in whatever manner is laid out by the corporate privacy policy. Although there is some legislation (see the legislation page discussion), policy implementation is left to the individual companies and thus the amount of privacy that the user retains differs from company to company.

With this background, we turn to the question at hand: " Should Internet users be concerned about the privacy of their personal information while online? " Clearly, the corporation with which a user is interacting dictates the amount of privacy that an end user retains. Similarly, the user must decide exactly which information they want to share and weigh a potential compromise of their personal privacy against the benefits of the services and good provided by corporation via the Internet. What types of compromises are possible? The list is lengthy, but some of the most notable are identity theft and credit card fraud. Both of these misuses can take place when sensitive personal information is given to a malicious party. The repercussions of a privacy violation, however, may not be as severe, for example, with an email listing of all consumers, a given corporation could send an obscene amount of spam, causing a significant inconvenience to numerous end users.

Thus we see that the answer to this question is not clear-cut. Personal information is an asset. When you share personal information with a corporation online, the exchange must adhere to the corporation's. privacy policy, a policy set by the corporation itself. If the corporation is malicious, this could lead to serious consequences.

Q. What responsibilities do corporations have to protect user's private information?

A. As has been discussed in the answer to the previous question, it is clear from the current state of legislation that most of the protection of sensitive user information is granted by corporate privacy policies. Although the Better Business Bureau, TRUSTe, and other corporations are working to solidify the content of online privacy policies, many web sites still fail to obtain certification. Because current legislation has been outlined in depth on the legislation page, we will omit an additional discussion here except to say that there are not many legal restrictions that dictate how a user's personal information be used.

Ethically, however, the responsibilities of corporations are much less clear. One could argue that it is the responsibility of users to be suspicious of everyone with whom they share personal information, always reading privacy policies and always sharing the minimum amount of information possible. Although this makes sense to some extent, corporations must also take measures to facilitate such skeptical user behavior. Corporations must provide users with easily accessible and clearly written privacy policies that detail the manner in which personal information will be used and with whom it will be shared. Additionally, corporations must provide users with a mechanism for opting out in the event of a breech of such a privacy policy. The specifics of these ethical concerns will be addressed in follow up questions.

Q. Many users fear that corporations work to obscure privacy policies either by the language they choose or the location they are placed on the web site. Is this reasonable?

A. No. This is one of the major items addressed by corporations like the Better Business Bureau and TRUSTe: end users must be capable of locating and understanding the privacy contracts into which they enter with corporations when purchasing services or goods online. Although legal jargon is important as it would provide a strong foundation for privacy policies in court protecting both the end user and the corporation, it also prevents the average end user from understanding the privacy policy. Corporations should be transparent and help end users to engage in more secure behavior online. At the same time, however, we can argue that if consumers actively did not choose to purchase services or goods from corporations with obscure privacy policies, such companies would cease to have an online presence. Thus, clearly, both the consumer and the corporations must drive the future of online privacy policies.

Q. Most privacy policies maintain a clause stating that they can be changed at any time. Is this reasonable?

A. Businesses change over time, and they must have the flexibility to update their privacy policies to reflect such changes. "Proposed mergers between companies with differing privacy policies may give rise to regulatory challenges"[Garon]. Clearly, like any other public statement about the company, the privacy policy must be able to grow with the company and adapt to corporate changes. However, one has to wonder, do these clauses allow corporations to go back on their agreements with end users and use collected personal information as a major asset when such information was collected under different terms? Consider the case of 2000. was a website primarily owned by Disney that sold various children's products online during the dot com bubble. After the company filed for bankruptcy, announced their plan to liquidate their assets, a business move that included selling a database of personal consumer information collected under a privacy policy that stated that private information would never be shared with third parties. Once notified of this announcement (such notification was originally obtained via TRUSTe), the FTC decided to take Toysmart to court, arguing that such actions contradict the privacy policy outlined on the Toysmart website. The case was eventually settled and Toysmart agreed not to sell their database as a stand-alone asset. Here we note, however, that although Toysmart agreed not to sell this database as a stand-alone asset, they did manage to convince the FTC to allow them to sell it. Thus this clear violation of their posted online privacy policy was allowed. Perhaps such behavior was permitted as Toysmart maintained a clause that allowed them to change their policy at any time.

Thus clearly, like all of the other ethical questions raised so far, the question of the clause that allows a corporation to reserve the right to change their policy at any time, is a double-edged sword. End users must not require corporations to lock themselves in corners allowing no room for growth, but at the same time, corporations must not misuse such policies in order to profit from sensitive personal information.

* Some might argue that this is perhaps a short-sighted view as many corporations with whom users interact offline (e.g. health care providers, banks, etc.) are moving services online and thus corresponding sensitive information will be accessible online as well. Although this is true to some extent, we have chosen to focus this report on those services that an end user actively chooses to purchase a service or good.