Monitoring your electronic footprints

Almost without exception, Irish Internet sites have a very serious privacy problem - so serious that, unless resolved, it could…

Almost without exception, Irish Internet sites have a very serious privacy problem - so serious that, unless resolved, it could threaten the development of the Republic as an e-commerce and technology centre. Almost none of over a hundred sites I looked at in recent weeks, including top e-commerce, Government, and service sites, carry even the most basic privacy statement explaining what they can do with information they gather every time you visit their site. More disturbingly, some of those sites solicit information from children without telling them to talk to a parent before sending such information, or explaining where the information goes.

Here are some of the Irish institutions and businesses whose sites have no privacy statement: Government sites such as AskIreland.com and Bord Failte's site, both of which request detailed information from users; Donegal County Council, and Dublin Corporation. The Garda site, www.garda.ie. IRION.ie (Irish Information Online), Jobfinder.ie (which asks for personal information), and Softwareireland.ie. They are not alone - dozens of other businesses have no privacy statement either. The few sites that carry a statement tend to specifically target a US audience, such as Goireland.com, a site that offers travel information and allows visitors to book accommodation, rental cars, travel tickets, and more. But it's worrying that Ireland's flagship tourist Internet site, Bord Failte's, carries only a lengthy legal disclaimer in confusing legalese, while soliciting personal information in several areas of the site, beginning with a request that visitors fill in an online form to "register".

Privacy statements are considered such an essential part of websites in the US - particularly those aimed at children - that the US government has considered making them a legal requirement. In response to the threat of outside regulation, industry groups have tried to get businesses to carry a statement or risk penalties. While punishments are currently relatively toothless, industry groups realise they must get US businesses to take privacy seriously or the government will legislate them into compliance. The US currently has few protections regarding the use of data, but a clear website policy is viewed as a business essential.

In Europe, we have the Data Protection Act. This requires companies that solicit information from consumers to tell them how the information will be used, and to let them opt out of any commercial usage of personal information - for further mail shots or e-mail advertisements, for example. Data also cannot be held without a specific purpose. Yet despite this legal requirement, Irish websites continue to fail to carry privacy statements.

READ MORE

So what is the problem with Irish organisations? Is this simple naivite, or a disregard for the key privacy guarantees afforded to Europeans? At the very least, Irish websites are blatantly ignoring the EU data protection directive, which clearly and unambiguously targets electronic information held on computers. That means Irish websites should always make clear what information is being taken from site visitors and how it is being used. But, most likely, visitors have not been told - and if your company has a website, you haven't bothered telling.

Online information-gathering doesn't even require your consent. Personal information can be picked up simply because you have visited a site - you've left your own, distinct electronic footprint on the site, which can be traced, classified and analysed in a number of ways.

However, many people offer up more explicit detail in the course of a visit. For example, have you registered to use an Irish Internet site lately, filled in an online form that asked for personal information, entered a competition online or requested a quote for a service online where you've sent along such information?

Have you sent an electronic postcard that asked for your email address, as well as the recipient's? Have your children - with or without your knowledge - offered up information such as name, address, e-mail contact, or phone number for a competition, a game site, a product site? If you use the Internet, it's getting almost impossible to avoid such actions.

That's why a privacy statement is crucial, especially as techniques for making use of electronic data grow ever more powerful. And that's why the issue of privacy is exercising so many minds, to the point of becoming an e-commerce bone of contention between the US and the EU.

Ironically, Irish sites are neither meeting EU requirements in terms of privacy, nor offering even the basic privacy information US companies are being asked to supply.

That leaves us looking woefully ignorant of this key issue, and contrasts thoroughly with the lead the State has taken in bringing in pro-privacy legislative proposals in complex areas like encryption. Before the State starts to look like it only has figured out half the e-commerce equation, the Government must push website-touting organisations for minimal compliance with the data protection directive or, better yet, require jargonless, direct and detailed privacy statements on sites.