FRAMINGHAM (08/01/2000) - A fresh controversy over the contentious issue of online privacy broke out yesterday with allegations that four Internet retailers are sharing personal information submitted by consumers with a marketing company -- charges that a spokesman for the marketing company said "totally" misconstrue what it's doing with the data.
The controversy began when Interhack Corp., a Columbus, Ohio, company that develops security and privacy tools, posted a report on its Web site claiming that Toysrus.com Inc., its Babiesrus.com affiliate and online sportwear retailers Lucy.com and Fusion.com are sending personal data to San Francisco-based Coremetrics Inc. without notifying consumers and despite having policies that promise they won't share such information with third parties.
In addition, Interhack said, Lucy.com and Fusion.com display the Truste privacy seal on their Web sites, which means they've promised to adhere to a set of online privacy guidelines. Truste spokesman Dave Steer said the San Jose-based privacy organization is reviewing the posted privacy policies of the two sportswear retailers to see if they're violating their contracts with Truste.
Officials at Toysrus.com didn't return telephone calls seeking comment on the matter today. But Coremetrics, Lucy.com and Fusion.com defended the information-sharing, saying Coremetrics only uses the data to prepare reports for the individual retailer that collected the information.
Interhack is "implying that Coremetrics is collecting the data and accessing multiple sites with the intention of selling it to a third party," said Coremetrics spokesman Dan Dement. "That legally can't happen. We're legally bound by a contract with our clients not to do that." Web sites such as Toysrus.com "hire us to collect the data and produce a report for them," he said. "We don't own the data."
Coremetrics also advises its clients to disclose their affiliation with the company, Dement said, adding that officials at Coremetrics don't think there was any attempt by the Web sites to hide the data-sharing from their customers.
"We just launched on March 27, and some companies haven't had a chance to update their Web sites," Dement said.
Deborah Pleva, a spokeswoman for Lucy.com in Portland, Ore., said in a written statement that the online retailer takes "the issue of privacy very seriously."
The company has "never rented, sold or in any way misused customers' personal information, and we never will," she added. The data that Coremetrics receives "is owned by Lucy.com and used only by Lucy.com," Pleva said.
Edward Schultz, vice president of business development at San Francisco-based Fusion.com, released a similar statement in which he said that the company's goal in using the reports prepared for it by Coremetrics "is to provide an enhanced user experience and to provide our users and customers [with] relevant information that will help them make better purchasing decisions."
But despite the disclaimers, Interhack founder Matt Curtin said, Coremetrics could use the personal data it receives from different online retailers to build "detailed dossiers of unsuspecting Web surfers" that could then potentially be stolen by malicious attackers.
Coremetrics officials have "all the data in their possession," Curtin said.
"That makes [the information] a great big target for a break-in." And although Coremetrics explains what it does and how consumers can choose to opt out of providing data on its Web site, the problem is that all of its online-retailer clients may not share that information with their customers or provide a link to the Coremetrics site, Curtin added.
The latest controversy comes as privacy advocates and the U.S. Federal Trade Commission (FTC) are calling on Congress to pass legislation that would regulate online privacy, instead of allowing companies to continue regulating themselves.
In this particular case, said Jason Catlett, president of privacy advocate Junkbusters Corp. in Green Brook, N.J., the question of whether Coremetrics is simply a subcontractor to its clients "is an area that can cause great confusion."
To clear up that confusion, Catlett said, Congress should pass legislation that would allow this sort of information-sharing but place a legal obligation on subcontractors such as Coremetrics mandating that they don't use the data for any other purpose.