Internet users want to keep their personal information private, but they want privacy tools to be cheap, easy to use and nearly invisible.
That was the consensus from a group of privacy experts at a forum on protecting personal information at the U.S. Federal Trade Commission (FTC) in Washington, D.C., Wednesday.
Most Internet users don't want to have to fiddle with settings on privacy products, they just want it to work, said Martin Abrams, executive director of the Center for Information Policy Leadership. "It has to work the way a toaster does," Abrams said of privacy tools. "Put in a slice of bread, and toast pops up."
Many Internet don't pay much attention to computer privacy because they don't know the dangers of viruses, worms and credit-card thieves lurking online, added Stephanie Perrin, president of Digital Discretion Inc., a privacy consultancy.
Perrin, speaking on a panel about consumer tools for managing personal information, listed more than a dozen privacy products that were launched between 1999 and 2001 but failed to catch on, mainly because of cost or inconvenience. However, many Internet users aren't aware of the dangers that can be avoided with proper tools, she said, and several panelists stressed the need for more public education about using personal data online.
"Leaving personal information around ought to be thought of as leaving a bucket of cash, because it's saleable," Perrin said. "Organized crime is interested in it; the terrorists are interested in it; we ought to protect it like cash."
The FTC forum is the first of two in the next month focusing on protecting data privacy. A second hearing, focusing on how companies can protect the privacy of data, is scheduled for June 4 in Washington, D.C.
Richard M. Smith, an Internet consultant who runs the informational Web site Computerbytesman.com, described a number of privacy tools available to Internet users, including antivirus software, firewalls, and spyware detection software. But Alan Paller, director of research for the SANS Institute, said most privacy tools haven't caught on with consumers.
Paller blamed vendors for not building in privacy tools but also said most Internet users aren't demanding them.
"They're a wonderful tool if we use them, but we don't use them," Paller said of antivirus programs.
Rich Lloyd, global privacy and customer relationship management lead for Dell Computer Corp., said only 8 percent of Dell customers subscribe after a free 90-trial for antivirus software expires. And Anson Lee, product manager for Norton Internet Security at Symantec Corp., admitted that most Internet users don't buy antivirus products until after their computers get infected and they lose valuable personal data.
Lee, in an interview later, said about 30 percent of Internet users do not use antivirus products. In addition, because Internet users are often behind locked doors in their homes, they seem to feel less cautious about giving out personal information to strangers at Web sites or in chat rooms, he noted.
"Things they normally wouldn't do in public, they feel safe to do at home," Lee said of sharing personal information with strangers on instant messages.
Lloyd suggested most Internet users aren't willing to pay more than US$20 or $30 for privacy tools. Dell will soon announce factory-coded security benchmark configurations on PCs, he said.
"It has to be easy, it has to transparent, and it has to be relatively cost-less," Lloyd said. "We've got to make security and privacy really transparent on the box itself."
Panelists did trumpet the Platform for Privacy Preferences (P3P) Project, in which Web sites distill their privacy policies into computer code, which then can be read by the newest versions of Internet Explorer and Netscape Navigator. Internet users can change the privacy settings on their browsers and have the browsers warn them when they're accessing a site that doesn't comply with their privacy wishes.
However, only about 10 percent of more than 5,000 Web sites surveyed in early May use P3P, said Lorrie Faith Cranor, principal technical staff member in the Secure Systems Research Department at AT&T Labs. And others on the panel noted that the shorthand privacy policies created in P3P, which users can have translated back into English, can give the lawyers who wrote the longer privacy policies nightmares because of the differences.
Asked what the U.S. government can do to encourage consumers to protect their own privacy, most panelists stressed education efforts such as the FTC forum and suggested privacy demand is best driven by the marketplace, not government action.
Abrams said some legislation, coupled with technology efforts, may be appropriate at some point. "I've never been opposed to good privacy law, good security law," he said. "I've often said we don't know quite yet how to write that, and we shouldn't write law until we know how to put it in place."
However, Daniel Weitzner, leader of the Technology and Society Domain at the World Wide Web Consortium, challenged those who suggested a technology-only approach. "I guess I want to express a note of skepticism about whether it's enough to say, 'the market will sort it out,'" Weitzner said. Large organizations have an incentive to protect their own networks, but individual Internet users may not.
Paller, from SANS, noted that encouraging individual Internet users to keep their private information under wraps is important, but privacy advocates also need to preach to large businesses using "out-of-the-box," insecure Web servers that often process millions of credit card numbers or other pieces of personal information.
"No criminal is stupid enough to attack your home computer when he can collect millions of your credit cards from vendors of e-commerce," he said.