AS AMERICA GIRDS AGAINST TERRORISM, federal privacy regulations That restrict the exchange of data online will probably take a back seat to law enforcement’s need to know. But that doesn’t let corporate America off the hook when it comes to protecting the privacy of consumers. Harvard Law Professor Arthur Miller, the former host of the TV show Miller’s Court and one of the country’s best legal minds, says corporate executives should be especially concerned about protecting their companies and themselves from class action lawsuits stemming from the intrusive use of personal data gathered online. And if that’s not enough to scare any right-thinking CIO, Miller?a longtime expert on the impact of technology on privacy and author of one of the first books on the subject, The Assault on Privacy: Computers, Data Banks and Dossiers (University of Michigan Press, 1971)?has himself become involved in several of these high-profile cases.

In a recent interview in his cluttered book-lined office at Harvard, the courtly looking Bruce Bromley, professor of law, expounded on the principles behind these lawsuits and discussed the line corporations should be careful not to cross when collecting and using their employees’ and customers’ personal information.


CIO: You’ve been writing about privacy issues for the past 30 years. How has the Internet changed the tenor of the debate?
Miller: Before the computer came along, the greatest privacy protector was that you could never find anything. The safest place in the world was a manila folder in some file drawer. I certainly can’t find things in my files. [He laughs and gestures helplessly around his office, where stacks of papers cover every available surface.] The computer has changed that calculus. Now you have the ability to record everything, and you get a mentality that it’s important to record everything. And the Internet allows direct marketers to come into people’s homes and offices and buy privacy. It has changed the scale of [intrusiveness] to a degree we could never contemplate before.


But the industry pollsters say that Americans don’t really care about privacy in this new age. After all, consumers keep giving websites personal information in order to do business online, so how much do they really care about privacy?
I think it depends on how you phrase the question. If you put the issue of privacy in terms of civil liberties or medical records, you get very strong pro-privacy reactions. But if you put it in terms of accessed goodies, then it becomes a trade-off, which leads one to believe that Americans care less about privacy in the commercial context than they do in the medical or employment context. And it’s clear that in certain environments, Americans are willing to sell their privacy. Give them a freebie online and they’ll give you some of their privacy.


Which is the greater threat: hackers who are looking to steal data or the sale of private information to third parties?
In terms of dimension, the bigger problem is the free movement of personal information in the economic system. Yes, there are hackers out there, and you have to protect your systems against them, but I don’t think they pose the privacy threat that the self-interest of an entity to sell or exploit data possesses. Information is so valuable, and circumstances are so unpredictable. Look at all those dotcoms that have folded up; their only asset is their customer base, so they have every incentive to sell that. And there’s a lot of stuff going on out there that’s on the fringe of being very, very intrusive. Like the rampant, uncontrolled use of cookies that give corporations information about your susceptibilities.


Even beyond cookies, many corporations invest tremendous resources in CRM systems that capture personal data and use it to target customers more effectively?for example, by segmenting them into high- and low-value customer groups and then treating them accordingly. Do people recognize the extent to which their personal information is being used in this way?
I don’t think Americans understand that someone is capturing data on them every time they do something, whether they buy something on Amazon.com or use the Net to book an airline seat. And when people are affected by this, they don’t even know it. I mean, say you get turned down for credit. How often can you figure out why you’ve been turned down for credit?