With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.

Every contemporary consumer knows it: There’s a fine balance between the convenience that comes with seamless online access and the privacy one can expect to retain in a networked world.

Perhaps nowhere is that balance more graphically expressed than in the world of Dell computers. Post a comment on a blog about a negative experience with a Dell product, and you can expect that the company will contact you personally in an attempt to resolve your problem and turn you from “ranter” to “raver.” Each day, from a facility in Round Rock, Texas, Dell tracks 25,000 online conversations that mention the company.

Dell’s strategy, implemented after an infamous “Dell Hell” incident – involving well-known blogger Jeff Jarvis, who in 2005 posted how the company refused to replace or fix his broken computer – has succeeded in converting one in three negative posters. But, for some, who anticipated their comments wouldn’t go beyond their regular followers, Dell’s outreach might seem as welcome as a call from a stalker.

Dell’s 24/7 focus on what customers are saying is a visible example of how organizations collect data. Many more companies – and many without the business ethics of Dell – are scooping up personal information every time someone clicks through an online ad or uses a mobile application. 

Compiled and cross-referenced by a data marketing firm – like Alliance Data, BlueKai or eXelate – those bits and pieces of personal data are digital gold.

“For many companies, their customers’ personal information is just another lucrative area of business,” says Vicente Diaz (left), senior malware analyst at Kaspersky Lab, who quotes a digital business truism: “If you are not paying for a service, you are the service.”

While consumer watchdog organizations have repeatedly raised alerts about the privacy issues related to sharing information online, there is a growing feeling that the average citizen remains largely in the dark about how their information is being used.

“We are at a point where nobody, no company, has ever had so much information on individuals,” says Diaz.

Indeed, but a number of experts are concerned about who might eventually gain access to the information. “The world is very different now,” says Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF). “The default position most companies take is to track consumer data. Most people still don’t understand that it’s going on, who is doing it, and the implications of it.”

The EFF is particularly concerned about findings like those coming out of the Massachusetts Institute of Technology, which show that the “human mobility traces” created by smartphones are sufficient to overcome individual privacy and anonymity.

“The growth of mobile applications has raised the stakes in many minds, and well it should,” says Tien (below). “With smartphone traceability, we are seeing a qualitative jump in creepiness.”

In spite of the fact that the average online shopper or mobile app user has much less privacy today than a decade ago, most companies still either post simple statements about respecting users’ privacy or direct users to multiple pages of dense legalese to explain what rights are being waived.

Neither does much to build confidence or promote transparency. As a result, governments have begun to look at implementing tougher guidelines.

“Regulators are becoming concerned,” says Gary Kibel, a lawyer at the New York City firm Davis and Gilbert. “While there are laws already in place in various jurisdictions, some say there is not enough transparency. The Federal Trade Commission is promoting just-in-time notices [an alert outside of a company’s privacy policy] regarding consumer privacy, and some states are beginning to take action. In addition, cross-border usage presents a whole other set of questions.”

Kibel and others point to Google’s admission in March that it had violated individuals’ privacy with Street View – which collected street-level images from the company’s fleet of cars loaded with cameras – as an indication that companies recognize it’s time for a change. 

“There are only a small number of bad actors out there,” says Kibel, “and the Googles of the world realize that the honest brokers need to make it clear that they’re the good guys.”

Tien agrees that things are changing. He says he has become a bit more optimistic in the past few months because of movement, such as Mozilla announcing it will block third-party cookies in a future version of Firefox. He points as well to content publishers, like ESPN, beginning to question the data-sharing policies of the Interactive Advertising Bureau. “It’s not entirely clear what the model will be in terms of ensuring consumer privacy, but at least we are seeing recognition that the current state is predatory,” he says.

Dorman Bazzell, North American business intelligence and data warehouse practice lead for Capgemini, an IT services and business consultancy company, says there are a number of questions that organizations should be able to answer to demonstrate that they’re safeguarding consumer data. “First, you have to know what customer data is available inside the organization, who has access to it, and how it’s used,” he says. Next, users should know where it lives in the organization, and recognize when it needs to be destroyed. 

A major challenge is that there is no single standard for safeguarding privacy. “There are many different solutions,” Bazzell says. “They come in the form of databases, the network, the Obama administration’s Consumer Privacy Bill of Rights, information security office (ISO) practices and data governance organizations, as well as security protocols, applications and processes.”

But, in many cases, these safeguards fall short, says Diaz. “Companies still don’t have any economic incentive to follow them,” he says. “In fact, it’s quite the opposite. What is obvious is that both laws and directives should be much clearer, and there should be a strong regulator to ensure that citizens’ privacy is not compromised.”

Davis and Gilbert’s Kibel agrees that the existing options sometimes conflict. Further, he says that finding an all-encompassing, absolute solution to protecting consumer privacy may not be possible. “For organizations, the best they can do is to do what makes sense,” he says. “Offer users the choice to opt out, and examine all parts of your workflow to ensure you’re not putting personal information at risk.”

The EFF’s position is that protecting privacy is everybody’s responsibility, adds Tien. “At least as much as it can be when business is in the driver’s seat. We think the solution will have to be cooperative. The risk of privacy compromise is a combination of government and business, so we believe each of the players must be a piece of the puzzle.”