WWW privacy and confidentiality

Robert Robbins (rrobbins@gdb.org)
Sat, 21 Jan 1995 21:37:24 +0100

I generally find it useful to seek similarities between the new realm of
electronic interaction and the old way of doing things. Mail ordering a
product, especially one of a distinctive kind, tends to trigger a lot of
similar junk mail. For example, I've bought a few books on the Civil War
and now I get lots of targeted mailing for Civil War buffs. AS WWW
servers become more and more embedded in commerce, could WWW providers
legally sell lists of users known to hae certain interests?

What is the social relationship between a WWW provider and a WWW reader?
A book store has lots of different kinds of materials on open shelves and
when someone stops by to browse, they are not guaranteed privacy in the
sense that others are prevented from watching them browse and seeing what
they pick up. On the other hand, there are the precedents set with regard
to restricting the public availability of movie-rental data.

Ultimately, the "rights" to WWW privacy and confidentiality will be
settled by lawyers, jurists, and legislators, not by a consensus among WWW
developers. In a cover-your-butt sense, WWW providers should ask what
actions on their part might expose them to liability. Nowadays, if you
open a small clothing store and somebody happens to fall down and get hurt
on the sidewalk in front of it, you can get sued and it may cost you
thousands of dollars, or more, just to respond.

Putting up a WWW server is in some very real sense equivalent to opening a
store for business. In a litiginous society, any ofering of public
services is accompanied by some risk of attracting adverse legal action.
It might be a good idea for WWW providers to get (and share?) some legal
advice on these issues.

For example, suppose you run a WWW site and you don't really worry about
system security because everything on your server is automaticaly spawned
from some protected system inside your company's firewall. So a hacker
breaks into your system easily and runs off with you WWW logs, which turn
out to have some interesting information of the sort: Joe Congressman has
been hitting on the cindy.gif server 20 times a day. This gets out. Are
you liable becauser of a failure to take adequate steps to protect the
privacy/confidentiality of your users?

Maybe some of the corporate folks who communicate on this wire might ask
their legal departments for some advice, then share it. On the other
hand, asking legal for advice can sometimes attract unwanted attention and
concern from the professional worriers...

I am sure that many who read this will react with disdain toward thse
concerns. Actually, I share that disdain for the results of a society
ready to sue at the drop of a byte. That disdain, however, is no
protection against such a suit.


Robert J. Robbins
Applied Research Laboratory
Johns Hopkins University
2024 E. Monument Street
Baltimore, MD 21205


(410) 955-9705 (voice)
(410) 614-0434 (fax)