One On One With Junkbuster's Jason Catlett

Where consumer privacy is concerned, Junkbusters has never been an organization to hold back. While the Green Brook, N.J., advocacy group focuses on reducing the flow of junk messages, it has also established itself as an outspoken watchdog of consumer privacy.

President and founder Jason Catlett, a computer scientist with a Ph.D. in data mining, has been tireless in his pursuit of responsible use of consumer data. He frequently addresses Congress and other federal bodies on a variety of privacy-related issues. Late last year, he led an effort to have the Federal Trade Commission determine whether Amazon.com Inc. had deceived its customers when it suddenly changed its privacy policy. (The FTC ultimately determined Amazon had been deceptive, but did not take enforcement action.)

Most recently, Catlett became involved in a complaint to the FTC filed by several privacy organizations, responding to Microsoft's controversial Passport software (designed to let Web sites share user names and passwords so shoppers don't have to re-enter them). Catlett and others feel the software raises concerns about the practice of monitoring Internet users' actions and habits.

InformationWeek Senior editor Tony Kontzer spoke with Catlett about the state of consumer privacy, the degree to which the corporate and government sectors are addressing it, and why it is or is not being adequately protected.

INFORMATIONWEEK: When does personalization become a privacy violation?

Jason Catlett: Personalization violates privacy if the personal information is handled unfairly, and information can be handled unfairly in several ways. It can be collected without consent; it can be used for purchases other than those for which consent was given; and it can be kept secret from the people whom it's about. If the user isn't in ongoing control of the information, that's also unfair.

Personalization doesn't necessarily invade privacy at all. It's simply a question of whether the personal information is handled fairly.

INFORMATIONWEEK: So the use of personalized information that's collected with the knowledge of consumers and is used to provide personalized service is not inherently a problematic area?

CATLETT: No. Privacy advocates and consumers want companies to use their personal information appropriately to provide services that depend on it. But too many companies cut corners and end up violating privacy in the name of convenience or profitability.

INFORMATIONWEEK: At what point does a company's responsibility to improve its bottom line end and a responsibility to preserving the rights of its customers begin?

CATLETT: In the United States, there's very little in the way of privacy law applying to non-governmental institutions. So, legally, companies can get away with far more than most consumers would expect, far more than their PR people wouldn't ever want, and far more than is healthy for the long-term viability of their brand.

Just because something is legal doesn't mean it's a good idea. And any product manager who's making decisions on the use of personal information based strictly on whether they're breaking the law or not is being very short-sighted.

INFORMATIONWEEK: What do you see as the role of the federal government in preserving privacy? Is this a legislative issue? Who in the government should take responsibility? And do we even want to entrust the government with overseeing information technology practices that violate privacy?

CATLETT: All privacy advocates have become simply mistrustful of government in its handling of personal information. But information privacy rights really have to be created by statutes, which need lawmakers to pass them. In my opinion, [these statutes] shouldn't be giving enormous power to government agencies.

The best privacy laws are those that empower the consumer. Let's take, for example, the Telephone Consumer Protection Act, which outlawed junk faxes. There's no vast junk fax police in Washington stopping junk faxes. The fact that anybody who gets junk faxes can sue junk faxers for $500 per fax tends to stop businesses from doing that. It's a fairly effective law, and it's the type of privacy right that I think we need more of.

INFORMATIONWEEK: Has Washington dropped the ball on this issue?

CATLETT: Throughout the 20th century, Congress and state legislators have moved to protect privacy rights in light of new technologies. So--whether it was the development of the Kodak camera that allowed anyone to be a photographer, or telephone wire-tapping, or credit reporting agencies that developed vast new databases about financial behavior, or the renting of video cassettes, or the protection of cable subscribers' channel surfing behavior--Congress has often moved to protect privacy against new technologies that could be used in an unfair, privacy-invasive manner.

With the privacy and copyright acts in the 1970s, the United States was a leader in the field of information privacy, which is hardly surprising because it's one of the leading information-intensive societies. But since then, other counties' privacy laws have advanced far faster than in the United States, where the lobbying of corporations has severely retarded the development of privacy law.

INFORMATIONWEEK: What is the responsibility of companies? What role can they play in self-regulation?

CATLETT: The level of privacy provided is extremely patchy. Some companies in the United States do an excellent job, but the average is dismal. And there are a number of bad actors that really contribute to the feeling that the American consumer is the target in a happy hunting ground for personal information.

INFORMATIONWEEK: What companies are the pillars of privacy protection in the United States?

CATLETT: I don't want to do any endorsements, but it's very instructive to look at the hundreds of privacy notices that the Privacy Rights Clearing House in San Diego, Calif., has collected. The best notices are the shortest ones that give you no options, that say, "We don't share any information about you with any other party except as required by court order" or some other limited exception like that. There are many companies that have those statements.

But a large number of very prominent banks have privacy statements that read something like "We greatly value your privacy," yet 400 words later they say that they may sell your information to anyone that they choose. It's hypocrisy.

INFORMATIONWEEK: Can you provide any detailed anecdotes about specific companies that are privacy nightmares?

CATLETT: When privacy advocates add up the scorecards for companies, they generally look at how unfair the information practices are, how many people are affected, and how much information is collected. And that leads you to a gallery of maybe half a dozen companies that hold information about more than 100 million Americans and treat it unfairly by collecting information without consent, refusing to show the information to the people it's about, and sharing the information with a lot of other companies.

Abacus Direct, a division of DoubleClick, for example, is one; Acxiom, Equifax, and Experian, too. There's actually a list on our Web site, which gives you a description of some of the worst offenders. We also had an awards ceremony a year or two ago, where we nominated some of our least-favorite companies. (You can see a summary of the awards at Junkbuster's site.)

INFORMATIONWEEK: A universe of companies out there have spent billions of dollars on systems specifically designed to collect data so that they can then more efficiently provide services or market to people. Why shouldn't they be able to do whatever they want with this information, given that the majority of it is collected from people who come to their sites, fill out registrations, and buy products from them?

CATLETT: What you're asking is a question of economics. Given that companies have made a large investment in information, why should they be forced to make changes to protect privacy?

There are many analogies where society's required such additional expenses. For example, in the 1960s, Detroit questioned why it should have to spend $15 and add $15 to the price of a car to have seatbelts when most people don't use them. Or you could easily have asked why the owners of coal mines in the 19th century, which could only be economically mined by children, shouldn't be allowed to enter into labor contracts with pre-teens. In these cases, society made a judgment about what was a minimum acceptable level of conduct.

But let's not exaggerate here. The cost of making most systems privacy friendly is not a large recurring cost, as compared to the capital investment needed to get the information.

INFORMATIONWEEK: How much of the privacy issue as it stands today do you attribute to the predominance of technology?

CATLETT: Information privacy has always been driven by technological advances, such as the telephone, professional photography, cable TV, video rentals and the Internet. The Internet is simply the greatest machine ever invented for getting information from one place to another. Because some of that information is personal data, it's causing a great increase in the collection and dissemination of personal information in an unfair manner. It's equally a shock to the recording industry, which found that its information could be used in ways that previously were not practical.

INFORMATIONWEEK: Can you identify the three biggest privacy concerns that exist right now for consumers?

CATLETT: The top two types of privacy violations are the collection and misuse of information, and unwanted contact with the consumer.

Under unwanted contact, I'd list junk E-mail (or spam), telemarketing calls, info-mail solicitations, junk faxes, junk pages, and all of the other technological interruptions that happen daily. Consumers particularly hate spam and telemarketing.

Under the heading of information privacy, consumers dislike companies selling information about them. When they buy a book online, they don't want their names on some list related to the topic of the book that they bought.

A third area of concern is identity theft. That's not an activity that most companies aim to achieve, but in many ways they contribute to it by, for example, maintaining databases with Social Security numbers that employees are able to browse, or by having lax security where credit-card numbers can be stolen by hackers.

INFORMATIONWEEK: What can consumers do to address their own privacy concerns and take the matter of out of the hands of the companies and the government?

CATLETT: Short of moving to Montana and living like a hermit, it's very difficult for the average consumer to stop companies from obtaining personal information about them. And, once it's out, there's no way for them to stop distribution and to get the information released.

Many consumers simply lie when they're asked for personal information. A very large number of consumers abandon their shopping carts at the checkout of a Web site when they're required to enter their name and personal information. Merchants know that this is because of security and privacy concerns. Consumers are already voting with their feet, or more specifically, staying put because of cold feet.

That's not good, because the efficiencies of online commerce and the use of new technologies benefit both consumers and companies, and if privacy can be guaranteed and people have confidence, it adds up to a better time for everybody.

INFORMATIONWEEK: Many people who are afraid to give their credit-card number online have no problem handing that same card to a waiter in a restaurant who disappears into the back with it for 10 minutes. How much of consumer privacy fears are related to the fact that they don't understand how technology works?

CATLETT: The waiter in the kitchen example is often trotted out as an example of consumer stupidity, but I wonder if it really is so stupid. We've seen a number of instances where very large databases of credit-card numbers at well-established companies have been compromised by hackers. The waiter in the kitchen doesn't have a list of millions of credit cards waiting to be attacked by some wily hackers. So there are concerns that apply on the Internet that don't apply offline.

INFORMATIONWEEK: So what are companies doing right and what are they doing wrong? Can you give me sort of a report card on the state of American business' respect for privacy?

CATLETT: It varies enormously. Most companies don't spam, but too many companies try to sign people up automatically for E-mail newsletters by having pre-checked boxes. Companies need to learn more about permission marketing to get consent and buy-in from consumers in their marketing programs.

A lot of companies are integrating their view of the customer so that they don't have different accounts under slightly different names. That's a good thing for privacy, because it's easier then to show consumers all the information that they have about them. If the consumer says, for example, that they don't want to receive any more marketing pitches by mail, that can automatically be applied to several accounts.

Strangely, one thing companies aren't doing enough of is asking their existing customers to volunteer more information about what they want. I remember the now-defunct Kozmo had on its Web site a feature where you could note videos that you want to rent in the future but don't have time for now. That's a much more useful and privacy-friendly feature than any of these collaborative filtering systems that try to predict, based on what you've rented in the past, what you might want to see in the future. Companies shouldn't be afraid to ask for relevant and contextually appropriate information from consumers as long as they're going to treat it fairly from then on.

INFORMATIONWEEK: As the next couple of years unfold, what do you see developing on the privacy front? How do you expect the concerns to be addressed? What kinds of business practices are you looking to see adopted, and what kinds of legislative involvement are you expecting?

CATLETT: In the next few years, we can expect to see more privacy horror stories and more consumer anxiety, and definitely several pieces of legislation will give consumers stronger privacy rights in various areas. The sharing of marketing information without permission will become less common. More and more companies will offer consumers the ability to control, via Web sites, all of the information that's held about them.

And security has to get better. The situation with Code Red worms rampaging simply is not acceptable for a society that so intensely depends on information and its security.

INFORMATIONWEEK: If you were to describe in very general terms the state of consumer privacy, what would those terms be?

CATLETT: American consumers are like lobsters sitting in a steaming pot. They've figured out it's not really a sauna, and that the temperature is just going to get hotter and hotter until some systemic changes are made through legislation and through companies being forced to accommodate consumer concerns. It's not going to be easy, but we got through Y2K pretty well, and this is going to be less intense than that. The information industry is just going to have to bite the bullet here, the way Detroit had to bite the bullet on auto safety and fuel economy.