Getting customer information is easy. You can buy it from the government, from list brokers, from competitors even. But getting customer information from customers is not easy, as we’ve seen in the last two chapters. Yet it’s absolutely necessary, because the only real competitive advantage an enterprise can have derives from the information it gathers from a customer, which enables it to do something for him that no one else can. Competitors without a customer’s personal information are at a disadvantage. That is the one compelling reason an enterprise must interact with its customers and reward them for revealing their personal information. It is also the main reason why an enterprise should never misuse the information it owns about a customer or violate a customer’s trust—because a customer is the most valuable asset the firm has, and the ability to get a customer to share information depends so much on the comfort level a customer has with giving that information to an enterprise.

In the twenty-first century, we realize that customer data are among the most valuable assets an enterprise can have, because the personal information about a particular customer that no other enterprise has is a unique asset that can provide an insurmountable competitive advantage in dealing with that single customer. For a customer-based enterprise to be successful in this century, it needs to protect that information—to hold it sacred.

Managing customer relationships in the interactive age requires enterprises to collect information about customers in a “virtuous cycle” in which they can deliver additional value to individual customers.

Permission Marketing

Seth Godin

Blogger and Author

Two hundred years ago, natural resources and raw materials were scarce. People needed land to grow food, metal to turn into pots, and silicates and other natural elements to make windows for houses. Tycoons who cornered the market in these and other resources made a fortune. By making a market in a scarce resource, you can make a profit.

With the birth of the Industrial Revolution, and the growth of our consumer economy, the resource scarcity shifted from raw materials to finished goods. Factories were at capacity. The great industrialists, like Carnegie and Ford, earned their millions by providing what the economy demanded. Marketers could call the shots, because other options were scarce.

Once factories caught up with demand, marketers developed brands that consumers would desire and pay a premium to own. People were willing to walk a mile for a Camel, and knew things go better with Coke. When brands were new and impressive, owning the right brand was vital.

But in today’s free market there are plenty of factories, plenty of brands, and way too many choices. With just a little effort and a little savings we can get almost anything we want. You can find a TV set in every house in this country. People throw away their broken microwave ovens instead of having them repaired.

This surplus situation, or abundance of goods, is especially clear when it comes to information and services. Making another copy of a software program or printing another CD costs almost nothing. Bookstores compete to offer 50,000, 100,000, or even 1 million different books—each for less than $25. There’s a huge surplus of intellectual property and services out there.

Imagine a tropical island populated by people with simple needs and plenty of resources. You won’t find a bustling economy there. That’s because you need two things in order to have an economy: people who want things, and a scarcity of things they want. Without scarcity, there’s no basis for an economy.

When there’s an abundance of any commodity, the value of that commodity plummets. If a commodity can be produced at will and costs little or nothing to create, it’s not likely to be scarce, either. That’s the situation with information and services today. They’re abundant and cheap. Information on the Web, for example, is plentiful and free.

There is one critical resource, though, that is in chronically short supply. Bill Gates has no more than you do. And even Warren Buffett can’t buy more. That scarce resource is time. And in light of today’s information glut, that means there’s a vast shortage of attention.

The combined shortage of time and attention is unique in today’s information age. Consumers are now willing to pay handsomely to save time, while marketers are eager to pay bundles to get attention.

Interruption Marketing is the enemy of anyone trying to save time. By constantly interrupting what we are doing at any given moment, the marketer who interrupts us not only tends to fail at selling his product, but wastes our most coveted commodity, time. In the long run, therefore, Interruption Marketing is doomed as a mass-marketing tool. The cost to the consumer is just too high.

The alternative is Permission Marketing, which offers the consumer an opportunity to volunteer to be marketed to. By talking only to volunteers, Permission Marketing guarantees that consumers pay more attention to the marketing message. It allows marketers to tell their story calmly and succinctly, without fear of being interrupted by competitors or Interruption Marketers. It serves both consumers and marketers in a symbiotic exchange.

Permission Marketing encourages consumers to participate in a long-term, interactive marketing campaign in which they are rewarded in some way for paying attention to increasingly relevant messages. Imagine your marketing message being read by 70 percent of the prospects you send it to (not 5 percent or even 1 percent). Then imagine that more than 35 percent responded. That’s what happens when you interact with your prospects one at a time, with individual messages, exchanged with their permission over time.

Permission marketing is anticipated, personal, relevant.

I know what you’re thinking. There’s a catch. If you have to personalize every customer message, that’s prohibitive. If you’re still thinking within the framework of traditional marketing, you’re right. But in today’s information age, working with customers individually is not as difficult as it sounds. Permission Marketing takes the cost of interrupting the consumer and spreads it out, over not one message, but dozens of messages. And this leverage leads to substantial competitive advantages and profits. While your competition continues to interrupt strangers with mediocre results, your Permission Marketing campaign is turning strangers into friends and friends into customers.

The easiest way to contrast the Interruption Marketer with the Permission Marketer is with an analogy about getting married. It also serves to exemplify how sending multiple individualized messages over time works better than a single message, no matter how impressive that single message is.

Two Ways to Get Married

The Interruption Marketer buys an extremely expensive suit. New shoes. Fashionable accessories. Then, working with the best database and marketing strategies, selects the demographically ideal singles bar.

Walking into the singles bar, the Interruption Marketer marches up to the nearest person and proposes marriage. If turned down, the Interruption Marketer repeats the process on every person in the bar.

If the Interruption Marketer comes up empty-handed after spending the entire evening proposing, it is obvious that the blame should be placed on the suit and the shoes. The tailor is fired. The strategy expert who picked the bar is fired. And the Interruption Marketer tries again at a different singles bar.

If this sounds familiar, it should. It’s the way most large marketers look at the world. They hire an agency. They build fancy ads. They “research” the ideal place to run the ads. They interrupt people and hope that one in a hundred will go ahead and buy something. Then, when they fail, they fire their agency!

The other way to get married is a lot more fun, a lot more rational, and a lot more successful. It’s called dating.

A Permission Marketer goes on a date. If it goes well, the two of them go on another date. And then another. Until, after 10 or 12 dates, both sides can really communicate with each other about their needs and desires. After 20 dates they meet each other’s families. Finally, after three or four months of dating, the Permission Marketer proposes marriage.

Permission Marketing is just like dating. It turns strangers into friends and friends into lifetime customers. Many of the rules of dating apply, and so do many of the benefits.

Five Steps to Dating Your Customer

Every interaction must offer the prospective customer an incentive for volunteering. In the vernacular of dating, that means you have to offer something that makes it interesting enough to go out on a first date. A first date, after all, represents a big investment in time, money, and ego. So there had better be reason enough to volunteer.

Without a selfish reason to continue dating, your new potential customer (and your new potential date) will refuse you a second chance. If you don’t provide a benefit to the consumer for paying attention, your offer will suffer the same fate as every other ad campaign that’s vying for their attention. It will be ignored.

The incentive you offer to the customer can range from information, to entertainment, to a sweepstakes, to outright payment for the prospect’s attention. But the incentive must be overt, obvious, and clearly delivered.

This is the most obvious difference between Permission Marketing and Interruption Marketing. Interruption Marketers spend all their time interrupting strangers, in an almost pitiful attempt to bolster popularity and capture attention. Permission Marketers spend as little time and money talking to strangers as they can. Instead they move as quickly as they can to turn strangers into prospects who choose to “opt in” to a series of communication.

Second, using the attention offered by the consumer, the marketer offers a curriculum over time, teaching the consumer about the product or service he has to offer. The Permission Marketer knows that the first date is an opportunity to sell the other person on a second date. Every step along the way has to be interesting, useful, and relevant.

Since the prospect has agreed to pay attention, it’s much easier to teach him about your product. Instead of filling each ensuing message with entertainment designed to attract attention or with sizzle designed to attract the attention of strangers, the Permission Marketer is able to focus on product benefits—specific, focused ways this product will help that prospect. Without question, this ability to talk freely over time is the most powerful element of this marketing approach.

The third step involves reinforcing the incentive. Over time, an incentive wears out. Just as your date may tire of even the finest restaurant, the prospective customer may show fatigue with the same repeated incentive. The Permission Marketer must work to reinforce the incentive, to be sure that the attention continues. This is surprisingly easy. Because this is a two-way dialogue, not a narcissistic monologue, the marketer can adjust the incentives being offered and fine-tune them for each prospect. Along with reinforcing the incentive, the fourth step is to increase the level of permission the marketer receives from the potential customer. Now I won’t go into detail on what step of the dating process this corresponds to, but in marketing terms, the goal is to motivate the consumer to give more and more permission over time. Permission to gather more data about the customer’s personal life, or hobbies, or interests. Permission to offer a new category of product for the customer’s consideration. Permission to provide a product sample. The range of permission you can obtain from a customer is very wide and limited only by its relevance to the customer.

Over time, the marketer uses the permission he’s obtained to change consumer behavior—that is, get them to say “I do.” That’s how you turn permission into profits. After permission is granted, that’s how it becomes a truly significant asset for the marketer. Now you can live happily ever after by repeating the aforementioned process while selling your customer more and more products. In other words, the fifth and final step is to leverage your permission into a profitable situation for both of you. Remember, you have access to the most valuable thing a customer can offer—attention.

Permission Marketing Is an Old Concept with New Relevance

Permission Marketing isn’t as glamorous as hiring Steven Spielberg to direct a commercial starring a bevy of supermodels. It isn’t as easy as running an ad a few more times. It isn’t as cheap as building a Web site and hoping that people find it on a search engine. In fact, it’s hard work. And it costs money to invest in what it takes to get a customer’s permission.

Worst of all, Permission Marketing requires patience. Permission Marketing campaigns grow over time—the opposite of what most marketers look for these days. And Permission Marketing requires a leap of faith. Even a bad interruption campaign gets some results right away, while a permission campaign requires infrastructure and a belief in the durability of the permission concept before it blossoms with success.

But unlike Interruption Marketing, Permission Marketing is a measurable process. It evolves over time for every company that uses it. It becomes an increasingly valuable asset. The more you commit to Permission Marketing campaigns, the better they work over time. And these fast-moving, leveragable processes are the key to success in our cluttered age.

So if Permission Marketing is so effective, and the ideas behind it are not really new, why was the concept not used with effectiveness years ago?

Permission Marketing has been around forever (or at least as long as dating), but it takes advantage of new technology better than any other forms of marketing. The Internet is the greatest direct mail medium of all time, and the low cost of frequent interaction makes it ideal for Permission Marketing.

Originally, the Internet captured the attention of Interruption Marketers. They rushed in, spent billions of dollars applying their Interruption Marketing techniques, and discovered almost total failure. Permission Marketing is the tool that unlocks the power of the Internet. The leverage it brings to this new medium, combined with the pervasive clutter that infects the Internet and virtually every other medium, makes Permission Marketing the most powerful trend in marketing for the next decade.

As new forms of media develop and clutter becomes ever more intense, it’s the asset of permission that will generate profits for marketers.

Source: Excerpted from Seth Godin, Permission Marketing (New York: Simon & Schuster, 1999). Adapted April 16, 2010.

Individual Privacy and Data Protection

Larry A. Ponemon, Ph.D.

Chairman, The Ponemon Institute

Businesses and governments have a responsibility to maintain the security and integrity of personal data that they process. The competitive pressure to profit from data collected about a customer by analyzing it for the purposes of personalization and customization collides with privacy concerns. Advocates believe it can help customers save time and effort and supply them with better targeted offers and improved customer service. When users provide personally identifiable information during a transaction, they are looking for assurance that their personal data will not be misused. Although the data can be traced to a computer, most data collected are anonymous. It is when a user provides personally identifiable information by filling out a form or volunteering personal information during a transaction that the concerns of potential abuse grow stronger. Other areas of particular concern include linking personally identifiable profiles with more extensive demographic or credit card information or connecting and reselling information from disparate data sources.

Chief Privacy Officers Protect Customer Privacy—Ours or Theirs?

Some enterprises, recognizing the new importance of the spectrum of privacy issues, particularly if their business faces global trading issues, have created the full-time position of Chief Privacy Officer instead of assigning this responsibility to existing positions, such as the Chief Information Officer or the Chief Technology Officer. Corporate icons such as American Express, Citigroup, Prudential Insurance, and AT&T have hired privacy officers who in many cases report directly to the chairman or the CEO. At the Internet Advertising Bureau’s Privacy Forum, Rich LeFurgy, Internet Advertising Bureau chairman and general partner, Walden VC, explained, “At the center of all business models is consumers. Protecting their PII (personally identifiable information) is the key to the future.”

The responsibilities of the chief privacy officers (CPOs) (often undertaken by the Chief Information Officer) include addressing the following:

• How does the company ensure that consumers will be notified about what information is collected?
• How can the company protect personal data from unauthorized use?
• How does a company provide consumers access to their personal information and the ability to change it?
• How does a company have guidelines for the use of personal information?
• Does it have a complete data-flow map showing the flow of information?
• What procedures ensure consumers are notified of changes in privacy policies?
• Is notification enough? Or is awareness required?
• What procedures exist to ensure business partners use personal information according to policy?
• Is compliance enough? Or is establishing trust required?
• How often does the company train employees on fair information and privacy practices?

As enterprises continue to globalize their operations, they need to be sensitive to, and in compliance with, the legal requirements and cultural sensitivities of the individuals with whom they do business. In addition, they need to protect adequately the accuracy, integrity, transmission, and accessibility of their electronic records and, in some nations, paper records. Regulatory compliance is not achieved without cost to the organization; and, where regulation exists, it must be complied with. However, beyond reducing the risk of regulatory noncompliance, the benefits of good privacy practice include:

• Reduction of cost by eliminating the collection and management of unnecessary information.
• Reduction of the risks associated with inaccurate or out-of-date information.
• Improvement in consumer and employee trust and confidence in the use and security of personal data.

Ultimately, the business concerns about issues surrounding privacy fall into two categories:

Today, consumer privacy concerns have been heightened by the technological changes surrounding the Internet. Technological improvements also put new pressures on businesses. Online companies that are under intense pressure to differentiate themselves are motivated to enhance value by outfitting their sites with increased personalization, requiring more granular customer data. Consumers express concern that inaccurate information can be used against them or affect them in the future, that personal information will be disclosed to third parties without their knowledge and consent, and that the security that surrounds their data is lacking. Identity theft provides just one example of how real these concerns are.

A comprehensive approach to data protection and privacy compliance identifies and resolves the issues while noncompliance creates unnecessary risks. By identifying the elements of current regulatory and self-regulatory approaches to privacy, it is possible to derive a set of common elements that can serve as a starting point for an organization’s global privacy compliance initiatives. Such a framework should include the following key elements.a

• Notice. The enterprise provides data subjects with clear and prominent notice of who is collecting their personal information, the intended use of the information, and its intended disclosure.
• Choice. The enterprise offers data subjects choices as to how their personal identifying information will be used beyond the use for which it was provided; choices would encompass both internal secondary uses such as marketing back to data subjects, and external secondary uses such as disclosing data to other entities.
• Access. The company enables data subjects to obtain appropriate access to information that it holds and to correct or amend that information where necessary.
• Data security. The enterprise takes reasonable precautions to protect data from loss, misuse, alteration, or destruction and ensure that those to whom data is transferred have adequate privacy protection.
• Data integrity. The firm keeps only personal data relevant for the purpose for which it has been gathered, consistent with the elements of notice and choice.
• Onward transfer. The firm transfers data only as consistent with the elements of notice, choice, and security.
• Enforcement. The company ensures compliance with key privacy elements and provides recourse for individuals, such as complaint and dispute procedures, verification of ongoing compliance, and obligation to remedy problems arising from noncompliance.

Source: Adapted from Larry Ponemon, Ph.D., “Individual Privacy and Data Protection,” in Don Peppers and Martha Rogers, Ph.D., Managing Customer Relationships: A Strategic Framework (Hoboken, NJ: John Wiley & Sons, 2004), pp. 228–232.

aWylie Wong, “Sun Switches Gears on Security,” CNET News, July 25, 2002.

European Organization for Economic Cooperation and Development Privacy Guidelines

Source: Partial list excerpted from “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” available at: www.oecd.org, accessed September 1, 2010.

Ten Points to Consider in Developing a Company’s Privacy Pledge

Every enterprise that maintains a Web site or collects personal information about its customers needs to establish an explicit privacy protection policy. The enterprise might call it a Privacy Pledge or a Privacy Bill of Rights, but it needs to consider covering these 10 key points:

Source: From Don Peppers, Martha Rogers, Ph.D., and Bob Dorf, The One to One Fieldbook (New York: Doubleday, 1999), 99–100.

Blown to Bits

Hal Abelson

Class of 1922 Professor of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, and IEEE Fellow

Ken Ledeen

Chairman and Chief Executive Officer, Nevo Technologies, Inc.

Harry Lewis

Gordon McKay Professor of Computer Science, Harvard University

Why can’t we just keep our personal information to ourselves? Why do so many other people have it in the first place, so that there is an opportunity for it to go astray, and an incentive for creative crooks to try to steal it?

We lose control of our personal information because of things we do to ourselves, and things others do to us. Of things we do to be ahead of the curve, and things we do because everyone else is doing them. Of things we do to save money, and things we do to save time. Of things we do to be safe from our enemies, and things we do because we feel invulnerable. Our loss of privacy is a problem, but there is no one answer to it, because there is no one reason why it is happening. It is a messy problem, and we first have to think about it one piece at a time.

We give away information about ourselves—voluntarily leave visible footprints of our daily lives—because we judge, perhaps without thinking about it very much, that the benefits outweigh the costs. To be sure, the benefits are many.

Saving Time

For commuters who use toll roads or bridges, the risk-reward calculation is not even close. Time is money, and time spent waiting in a car is also anxiety and frustration. If there is an option to get a toll booth transponder, many commuters will get one, even if the device costs a few dollars up front. Cruising past the cars waiting to pay with dollar bills is not just a relief; it actually brings the driver a certain satisfied glow.

The transponder, which the driver attaches to the windshield from inside the car, is a radio frequency identification (RFID), powered with a battery so identifying information can be sent to the sensor several feet away as the driver whizzes past. The sensor can be mounted in a constricted travel lane, where a toll booth for a human toll taker might have been. Or it can be mounted on a boom above traffic, so the driver doesn’t even need to change lanes or slow down

And what is the possible harm? Of course, the state is recording the fact that the car has passed the sensor; that is how the proper account balance can be debited to pay the toll. When the balance gets too low, the driver’s credit card may get billed automatically to replenish the balance. All that only makes the system better—no fumbling for change or doing anything else to pay for your travels.

The monthly bill—for the Massachusetts Fast Lane, for example—shows where and when you got on the highway—when, accurate to the second. It also shows where you got off and how far you went. Informing you of the mileage is another useful service, because Massachusetts drivers can get a refund on certain fuel taxes, if the fuel was used on the state toll road. Of course, you do not need a Ph.D. to figure out that the state also knows when you got off the road, to the second, and that with one subtraction and one division, its computers could figure out if you were speeding. Technically, in fact, it would be trivial for the state to print the appropriate speeding fine at the bottom of the statement, and to bill your credit card for that amount at the same time as it was charging for tolls. That would be taking convenience a bit too far, and no state does it, yet.

What does happen right now, however, is that toll transponder records are introduced into divorce and child custody cases. You’ve never been within five miles of that lady’s house? Really? Why have you gotten off the highway at the exit near it so many times? You say you can be the better custodial parent for your children, but the facts suggest otherwise. As one lawyer put it, “When a guy says, ‘Oh, I’m home every day at five and I have dinner with my kids every single night; you subpoena his E-ZPass and you find out he’s crossing that bridge every night at 8:30. Oops!” These records can be subpoenaed, and have been, hundreds of times, in family law cases. They have also been used in employment cases, to prove that the car of a worker who said he was working was actually far from the workplace.

How Sites Know Who You Are

If you are curious about who is using a particular IP address, you can check the American Registry of Internet Numbers (www.arin.net). Services such as whatismyip.org and ipchicken.com also allow you to check your own IP address. And www.whois.net allows you to check who owns a domain name such as Harvard.com—which turns out to be the Harvard Bookstore, a privately owned bookstore right across the street from the university. Unfortunately, that information won’t reveal who is sending you spam, since spammers routinely forge the source of email they send you.

Source: Excerpted with permission from Hal Abelson, Ken Ledeen, and Harry Lewis, Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion (Reading, MA: Addison-Wesley Professional, 2008), p. 40.

It’s Just Fun to Be Exposed

Sometimes, there can be no explanation for our willing surrender of our privacy except that we take joy in the very act of exposing ourselves to public view. Exhibitionism is not a new phenomenon. Its practice today, as in the past, tends to be in the province of the young and the drunk, and those wishing to pretend they are one or the other. That correlation is by no means perfect, however. A university president had to apologize when an image of her threatening a Hispanic male with a stick leaked out from her MySpace page, with a caption indicating that she had to “beat off the Mexicans because they are constantly flirting with my daughter.”

And there is a continuum of outrageousness. The less wild of the party photo postings blend seamlessly with the more personal of the blogs, where the bloggers are chatting mostly about their personal feelings. Here there is not exuberance, but some simpler urge for human connectedness. That passion, too, is not new. What is new is that a photo or video or diary entry, once posted, is visible to the entire world, and that there is no taking it back. Bits don’t fade and they don’t yellow. Bits are forever. And we don’t know how to live with that.

For example, a blog selected with no great design begins:

This is the personal website of Sarah McAuley. … I think sharing my life with strangers is odd and narcissistic, which of course is why I’m addicted to it and have been doing it for several years now. Need more? You can read the “About Me” section, drop me an email, or, you know, just read the drivel that I pour out on an almost-daily basis.

Because You Can’t Live Any Other Way

Finally, we give up data about ourselves because we don’t have the time, patience, or single-mindedness about privacy that would be required to live our daily lives in another way. In the United States, the number of credit, debit, and bank cards is in the billions. Every time one is used, an electronic handshake records a few bits of information about who is using it, when, where, and for what. It is now virtually unheard of for people to make large purchases of ordinary consumer goods with cash. Personal checks are going the way of cassette tape drives, rendered irrelevant by newer technologies. Even if you could pay cash for everything you buy, the tax authorities would have you in their databases anyway. There even have been proposals to put RFIDs (radio frequency identifications) in currency notes, so that the movement of cash could be tracked.

Only sects such as the Amish still live without electricity. It will soon be almost that unusual to live without Internet connectivity, with all the fingerprints it leaves of your daily searches and logins and downloads. Even the old dumb TV is rapidly disappearing in favor of digital communications. Digital TV will bring the advantages of video on demand—no more trips to rent movies or waits for them to arrive in the mail—at a price: Your television service provider will record what movies you have ordered. It will be so attractive to be able to watch what we want when we want to watch it, that we won’t miss either the inconvenience or the anonymity of the days when all the TV stations washed your house with their airwaves. You couldn’t pick the broadcast times, but at least no one knew which waves you were grabbing out of the air.

Source: Excerpted with permission from Hal Abelson, Ken Ledeen, and Harry Lewis, Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion (Reading, MA: Addison-Wesley Professional, 2008), pp. 36–37, 40–42.

Universal ID

One solution offered after September 11, 2001, was the creation of a Universal ID card for each citizen to carry. The card could contain an electronic thumbprint of the cardholder so the person could be easily identified if questioned. This concept is akin to automobile license plates, which automatically expose the owner of the vehicle to the police, who simply need to check the plate number against their database. Would citizens be opposed to carrying a card that revealed personal information to anyone who swipes their cards? What about an embedded RFID chip?

Privacy on the Net

Esther Dyson

Chairman, EDventure Holdings

By 1997, consumer privacy had become a big issue in the United States. A number of trends had been combined. More data was being collected, online and off. Direct marketers, telemarketers, and assorted shady people were invading people’s privacy, and press coverage highlighted this issue. The Federal Trade Commission held hearings on consumer privacy, saying in effect: “Tell us the problems and propose some solutions, or we’ll have to regulate.”

There were also several bills pending in Congress, likely to change form over time: the Consumer Internet Privacy Protection Act of 1997 (Rep. Bruce Vento, D-MN); the Children’s Privacy Protection and Parental Empowerment Act (Rep. Bob Franks, R-NJ); and the Communications Privacy and Consumer Empowerment Act (Rep. Ed Markey, D-MA).

With some justification, many people, both potential users and potential government regulators, perceived the Net as a scary, unregulated place. The Net makes it even easier for lots of people, not just well-capitalized mass marketers or obsessive creeps, to get at information and use it for undesirable and even dangerous ends.

Beyond Web Sites, beyond Labels

These issues of privacy didn’t begin with the Internet, and they can’t be resolved by controlling what happens on any, or even all, individual Web sites. The problems arise when information travels among Web sites—or away from them to places where people and companies assemble databases of information gleaned from many Web sites and from non-Web mailing lists, directories, news reports, listings … and other databases. A lot of this information has traditionally been available to people willing to go to a lot of trouble, visiting county document vaults, calling companies posing as a prospective employer or old boyfriend, or spending several hundred dollars to get an investigator’s license. It has also been available on a random basis to criminals in jail doing data-entry work, bored clerks at the IRS, and various other untrustworthy people in trusted positions.

Many companies, notably TRW, Equifax, metromail, and some credit card providers, manage huge amounts of such data and trade it among themselves. Yes, it makes the economy more efficient and keeps revenues up and costs down. But not all of the companies who manage the information are especially honorable—nor are all of their employees.

The growing presence of the Web increases the ease of both collecting such data and assembling it. The interconnectedness of the Net makes safeguarding privacy an increasing challenge. People are rightly concerned about the combination of data from different sources: Web behavior, buying habits, travel history, income data. Often, facts are innocuous until they’re combined with other facts.

The user wants a seamless experience as he explores the Web, but he wants to appear as a discrete entity to each place he visits, with a legitimate identity revealed as appropriate—a credit rating, an employment record, a bank account, or a medical history. Indeed, a person’s identity gets plastered all over the Net in little fragments—no problem. But then someone in particular—anyone from a benign marketer only after the customer’s business, to an employer, a stalker, or a blackmailer—can start collecting those fragments. One version of the problem is when the data are incorrect (and the user is the last to know); another version is when they are true.

In response, the marketplace and the government are setting up systems to foster privacy. As a society, we can’t totally guarantee everyone’s privacy. But we can create a situation where people can choose the lever of privacy they want according to trade-offs they determine for themselves, and provide them with a means of recourse when promises are breached. When that happens, I believe, people will feel more comfortable on the Net overall and no longer fear the visibility it fosters.

Two Kinds of Information

There are two broad classes of information about yourself that you create on the Net: one kind that you generate when you engage in a one-to-one transaction with someone, and another kind that you generate when you do something in “public”—post an opinion, send out a message to several people, or supply information on your own Web site.

The “one-to-one” data is created by a variety of individual exchanges and transactions—anything from visiting a Web site to buying a racy book, revealing personal data in order to win a prize, or stating your income on Barron’s site for investors. In principle such information is private—but not in practice. Here’s one tale of woe from Russell Smith, a privacy activist who testified at the Federal Trade Commission hearings:

… my every move on the Internet could potentially be tracked. For instance, I recently did a search of newsgroups via the DejaNews service. In my search I was searching on my username “russ-smith.” The search turned up an entry in some type of an adult newsgroup. When I clicked on the message it turns out it had nothing to do with me. However, the banner ad I received was for an adult site from a widely used banner network called The Link Exchange. Does my profile now include this information? Is my search criterion (“russ-smith”) also associated with this information? Do they have my name and address since I have purchased products (and entered personal information) at other sites with these banner ads? Is it being sold? How can I find out? Can I expunge it?

Flawed Solutions

The solutions most often presented in response to this situation generally miss the point. We don’t need new government regulation that stops the free flow of information voluntarily given, outlaws cookies, and makes customization difficult (except perhaps where children and coercion are concerned).

Nor do we need a Direct Marketed Association—a force equal in power to the Direct Marketing Association but aligned with someone’s vision of consumers’ interests. After all, consumers don’t all have the same interests; what they really need is choice.

Instead, we need the kinds of policies that the Liberty Alliance is fostering, which would allow users more control over the kind of data that gets passed from vendor to vendor. An even more user-focused initiative is Ping Identity, based in Denver.

Tools for Customer Empowerment

Much as I hate the term, what I’m talking about here is customer “empowerment,” not “self-regulation”—transforming passive customers into active customers who can monitor vendor practices for themselves. That implies some kind of broad movement to give customers the tools to do so, but the actual enforcement and use of the tools should be decentralized into users’ hands.

The reason to avoid government regulation is not that government oversight is always bad; government courts and other enforcement mechanisms are a necessary backup to systems such as TRUSTe and Liberty Alliance. It’s simply that front-line customer enforcement is likely to be more flexible and more responsive to actual conditions than government regulation. A decentralized system scales up nicely and crosses borders with ease. Customer enforcement will give users greater choice, while at the same time giving them confidence that they can trust the medium. People can pick data-control practices that suit them, rather than be forced to operate in a one-rule-fits-all environment. The overriding rule should be that providers must disclose—label—themselves clearly and honestly. And then they must do what they promise.

The goal is not to regulate cyberspace, nor to solve all problems concerning privacy (or content) online, but rather to carve out enough clean, well-lighted territory so that the dark parts of the Net lose their power to scare people away. In the end, most people will prefer to live in safe neighborhoods, while potential predators will find few victims other than their own kind.

In practice, privacy protection is more than data or technology. How can we achieve it without making the world into a sterile place where everyone is anonymous? Most customers actually like to be treated as known individuals by marketers that they in turn know and trust. The rhetoric promises a global village, not a global city. Real privacy—which is respect for people rather than mere absence of data—depends on human judgment and common sense.

What Would Deep Blue Be Like with Hormones?

Let’s try a thought experiment. Imagine that you have lived your entire life on the Net, isolated from the physical world. You know a lot of people intimately: You’ve heard their ideas; you’ve argued with them; you’ve watched them mature, get angry, trade jokes, do business, make and lose friends. You have made and lost friends yourself. These people are real to you; you want their respect; you ask them for advice. And you are real to them. You and they take your Net presence for granted—all the things you have ever posted, all the data about you, all the Net chatter about you. But you have never seen them.

Now suppose you meet these people in real, physical, terrestrial life. They’re fat or thin; blond or dark; young or old; white or African American or Asian; male or female. There’s more! Each person has these little peculiarities—a scar, asymmetrical eyebrows, a particular style of dress or pattern of speech, and so on. None of them is any big deal; they’re merely expressions of each person’s identity. (Yes, some people do hate their nose, undergo cosmetic surgery, or have an obsession with their own hair, but few people wear a mask.)

None of these features is any big secret, and most are familiar (if not explicitly so) to that person’s friends and even acquaintances. Others—for example, presidents and movie stars—are known to the world. Some are genetically determined; some are shaped by the person; some are an artifact of culture (such as a woman’s shaved legs).

But how about you? You would probably at first be very sensitive about your own physical being. You would feel vulnerable and exposed as you joined the physical world. All these people can see how you look, judge your hairstyle, criticize your weight or your taste in shirts… . Should you shave? Should you wear your trousers rolled?

But after a while you would probably relax, just as you have already in the real world since being an awkward teenager. People know how you dress and how you look, and most of them now are accustomed to it. Meanwhile, you’re accustomed to the face you present to the world. You may be taken aback to see your profile or, worse, the back of your head in a mirror. But on the whole, you’re probably relaxed about your physical existence because it has come to seem normal.

That same thing happens with your Net persona.

The New Privacy

As people feel more secure in general on the Net, they will become accustomed to seeing their words recorded and replayed. They will no longer feel uncomfortable being on display, since everyone around them is on display too. In the same way, feelings of physical exposure tend to depend on fashion and custom as well as innate sensibility. Thirty years ago the sight of a woman’s navel was shocking except by the pool; now it’s routine. One hundred years ago, a nanny told my grandmother she was a “shameless hussy” for taking off her shoes at the beach.

Everyone has personal preferences for privacy, but they are influenced by the surrounding culture and by the surrounding economy. It’s hard to fulfill a desire for privacy if you’re living in a one-room apartment with the rest of your eight-person extended family. If you travel or mingle with people from other cultures, you will notice that Americans expect a lot more “personal space” than most people.

Nowadays, people reveal much more about themselves—for better or worse—than they used to. It’s inevitable that people will simply become more comfortable with the fact that more information is known about them on the Net. The challenge is not to keep everything secret, but to limit misuse of such information. That implies trust, and more information about how the information is used. At the same time, we may all become more tolerant if everyone’s flaws are more visible.

Source: Adapted from Esther Dyson, Release 2.0: A Design for Living in the Digital Age (New York: Bantam Doubleday Dell Broadway Books, 1997).