Web Security Faces Scrutiny

To consider questions about how companies on the Internet are allowed to collect personal information from customers and what they can do with it afterward, critics and the online industry are meeting at an Internet privacy summit, starting Tuesday in Washington.

The goal is to encourage the growth of fledgling Internet commerce while balancing the privacy rights of consumers. Industry wants to develop its own rules and punishments. Privacy advocates want the government to write tough new privacy laws - now.

So far, the Clinton administration, wary of stifling business on the Internet with burdensome new laws, has indicated it will give companies more time to come up with ways to regulate themselves.

"They have their eyes closed and their fingers crossed that it will all work out," complained Jeff Chester, executive director of the Washington-based Center for Media Education. "The administration has been on its knees pleading with American high-tech companies to come up with measures to protect online privacy, and they've been met with a loud chorus of denials."

The Internet can be a corporate Candyland of personal consumer information. Customers routinely respond to questionnaires on Web sites, providing their names, e-mail and postal addresses, and other personal data.

Once a person provides identification to a Web site, companies can easily track which Web pages the person reads at that site.

Buy anything on the Internet, or just fill out one of those innocent-looking forms on a Web site, and a company can learn a lot about you: what you read, what you wear, maybe even information about your health.

Until a person provides an identity, only relatively innocuous information can be collected behind the scenes, such as which kinds of software the person uses.

"Once an individual gives over information, that can be tied to a whole bunch of data about what you've done at a Web site or at a whole bunch of Web sites," said Deirdre Mulligan, a lawyer with the Washington-based Center for Democracy and Technology. "That might reveal your preferences, your taste in books, your taste in politics or in clothes. It gives people the ability to create dossiers unparalleled in the offline world."

On the eve of the privacy summit, nearly 50 large companies that sell products on the Internet formed a trade group to convince the federal government that industry can police itself against abuse.

"Think of it as an online neighborhood watch," said Christopher Caine, a vice president at IBM.

The companies include America Online, AT&T, Disney, Equifax, Microsoft, Netscape, Procter & Gamble, and the largest personal computer makers.

They proposed that companies should not collect information online from any child under 13 without a parent's consent or without directly notifying parents. They also urgd companies to tell customers what information is being collected and how it's used and to offer customers the chance to keep their personal data private.

But, significantly, the Online Privacy Alliance did not announce how it will punish companies that violate its principles, saying its members "are finalizing an enforcement and consumer redress policy." Caine said the group will announce its plan by Sept. 15.

"Ultimately, it is the consumer who is going to vote," said Mary Whelan, a vice president at AT&T. "As people begin to understand how much information is collected about them, they'll begin to ask questions. That will drive how businesses will behave."