InformationWeek

"We know there's a fine line we need to walk between being invasive in terms of people's privacy and judicious use of customers' information," says Parrish Arturi, VP of channel development at financial services firm First Union Corp.

Two developments last week highlighted that dichotomy. Andromedia Inc. and BroadVision Inc. introduced an integrated software package that lets Web retailers watch the online shopping behavior of individuals and groups in real time.And at its annual BrainShare technology conference, Novell previewed a directory-based technology called Digitalme, which promises to let users create their online identities and control the information they give out over the Internet.

The government continues to take a hard look at how businesses use online data. Next month, Mary Culnan, a professor of IS at Georgetown University in Washington, will present to the Federal Trade Commission a survey of 360 popular Web sites. The study will examine what personal and demographic information the Web sites collect, if they have privacy policies posted on the sites, and whether they give users basic choices over how their personal information is collected and used. An FTC spokeswoman says the study will likely be included in a report to be submitted this spring to Congress, which is considering an array of Internet privacy legislation.

Already this year, two high-profile vendors-Intel and Microsoft-have gotten caught up in controversies regarding their use of online data-gathering technology. Intel was criticized last month for including traceable identifiers on its Pentium III chips. And last week, Truste-an industry privacy group that promotes self regulation-said Microsoft "compromised consumer trust and privacy" when it compiled data about individuals' PCs during Windows 98 registration even after customers indicated they didn't want to provide such information.

Still, companies embracing E-commerce realize that exploiting customer data is one of the advantages of that online, real-time medium. First Union, for example, said last week that as part of its online banking operations, it will use Vignette Corp.'s Story Server to customize Web pages for individuals based on both click-stream information collected about them and data provided by them.

Vendors are aggressively increasing the capabilities of personalization technology. Andromedia linked its Aria eCommerce 3.0 site- analysis tool, released last week, to the Observer module in BroadVision's One-to-One commerce server, which lets companies see which items a customer inspects, puts in or removes from a shopping cart, and buys. Together, the software products can alert a Web retailer to behavioral patterns as they develop.

For example, a retailer might see that customers repeatedly put a certain item in their shopping carts, but remove it before heading to the check-out area. Site administrators could set up a rule in BroadVision's server to offer customers a 15% discount on that item whenever it is removed from a cart. "We're starting to get into the heads of the shoppers because we're tracking not only purchases but the events around the purchases," says Kathleen Hayes, director of business development at Andromedia.

But that's potentially invasive, says a report issued last week by Zona Research. Analyst Jack Staff, who authored the report, compares the Andromedia-BroadVision technology to a salesperson who follows shoppers around a store watching everything they consider buying. Says Staff, "Marketers need to ask, if a shopper won't allow someone to follow him around the store, why would he allow online marketers to observe him shopping online?"

Andromedia insists its technology doesn't invade privacy because it reports aggregated data, not the shopping behavior of individuals. Andromedia contends its customers aren't interested in individual consumers. "The companies we work with are high-level sites getting loads of traffic," says Hayes. "As you get millions of users, the individual starts to lose its impact."

Cyberian Outpost Inc., an $85 million online software store in Kent, Conn., has been using the integrated tools from Andromedia and BroadVision since December. The company can observe shopping behavior down to the individual level, but takes care not to act on the information too aggressively. "We don't want people to freak out," says Mike Starkenburg, Cyberian's chief technology officer.

Cyberian Outpost is developing a profile-management application that gives customers more control over their personal data and preferences. The application will be a "dashboard" that lets customers choose the type of content they see and determine how Cyberian Outpost markets to them, says Starkenburg.

Customer control is the idea behind Novell's Digitalme software, due in the third quarter. Digitalme lets consumers establish "digital identities" that provide personal information about themselves to online retailers, suppliers, employers, or other organizations. "We're trying to get end users to think about what their preferences are, what they care about, how they identify themselves, and do it all inside a directory," says Novell chairman and CEO Eric Schmidt.

Personal identities created using Digitalme can include name, address, phone number, passwords, credit-card information, bookmarks, and "cookie" files. Users can set up multiple identities. Companies that have expressed interest in Digitalme include Citigroup, FirstUSA, and Lucent Technologies.

Citigroup is testing Digitalme to see whether it's easy enough to be used by the broad base of consumers coming online to handle their finances. Citigroup also wants to gauge the software's security and scalability.

Dan Schutzer, director of external standards for Citigroup's E-commerce unit, says many of the company's services, such as online banking, brokerage, and billing, depend on collecting information from consumers. "Digitalme looks like a cool way to do that," he says. "Customers get a lot more control" over their information. That's a central tenet of Citigroup's customer-centric business philosophy. "Our reputation is at stake," says Schutzer. "Our customers don't want the whole world to know their accounts."

Earlier this month, Microsoft introduced Passport, a password and registration service for Web commerce. Passport includes a "personal information center" where users can look at their personal information and update or delete it.

The amount of personal information being exchanged by individuals and companies engaged in E-commerce is creating a new type of service company, called an "infomediary." One such company, Populardemand Inc. in San Francisco, operates a Web site that pools consumers based on their interests in products from garden equipment to mortgages. Those consumers are introduced anonymously to merchants that pay Populardemand anywhere from $10 to $150 for each customer they can market to via E-mail and the Web.

Populardemand president Jim Calhoun says the site appeals to consumers because they remain anonymous and can set the terms of engagement with merchants. "The message that resonates with our customers is control," says Calhoun. "By giving the buyer a lot more control over their personal information, we actually lubricate the commercial process."

Infomediaries are a target market for Digitalme, according to Novell's Schmidt. An infomediary could store its customers' Digitalme information on a directory, then pass that information to other commerce sites as customers browse the Web. End users would only have to log on once to the infomediary site, with logon information for other sites handled by the infomediary's server, which would also control transaction information such as credit-card data.

Software is only part of the equation, say privacy experts. Ram Avrahami, director of Named, a privacy group in Washington, says technologies such as Digitalme can help control the collection of personal information. But it must be matched by widely adopted guidelines for how companies use data once they get it. "Just having the software isn't going to make that happen," he says.

IT managers are looking for help from both-software and industry consensus.

With Justin Hibbard and Brian Riggs