The following text is copyright 2000 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Say what you mean and mean what you say

By Scott Bradner

I have pushed quite hard for the US government to pass some meaningful laws to protect the privacy of Internet users. Some readers have challenged me to describe any laws that could do anything useful. I'll give it a try. I think there are three principals: tell me clearly what you are going to do with my data, don’t change your mind and don’t use data from other sources without my agreement.

There are certainly problems with a local government such as the US defining laws to regulate the very international Internet but the US government can regulate how US companies obtain and use information. The government can do this but I'm not sure it should do the latter. I do not think that it is productive for any government to say what information can be used in what ways because the speed of change in the Internet landscape. But I do think that some basic laws would help a lot.

Law number one: Every web site that collects any information about visitors to the site must have an easy to locate privacy policy that must say in simple English what data is collected and what purposes the data is going to be used for. This policy must cover any third party (such as DoubleClick or Akamai) that is in a position to collect information about Internet visitors.

Law number two: The web site's policies can not be changed to invade privacy in any additional way without clear notice and without discarding all information obtained under the previous policy. A site should have the option to ask individual users for their permission to retain the information about them but must not retain information without specific individual approvals.

Law number 3: No company doing business in the US may use any data from web sites that was not collected following the restrictions in the above laws.

Basically, I think that individuals should be able to decide for themselves what level of privacy they are willing to give up but they should be able to be sure that the companies, at least the US ones, that they are dealing with will not lie to them. The European sites are already under far stricter rules than I ever expect to see in the US.

The penalties for companies violating these laws should be significant. For example, I would think that failure to post a privacy policy or posting a false one should mean a fine of $1,000 or 10 days revenue of the web site, which ever is higher, for every day of violation. Making use of improperly collected data should be felony for anyone making the decision to do so and a very large fine for the company.

Some observers claim that the FCC already has the needed laws - empirical evidence shows this not to be the case. Lets get this problem behind us once and for all.

disclaimer: Empirically Harvard reputation is subjective but the University has not expressed an opinion on web privacy thus the above laws are my suggestion.