Trilight Zone

[digital8]

For any study of privacy on the Web, it is important to establish a figure for Web-site privacy policies along with the use of visitor registration and cookies. A study of the same sites over a period of time thus could reveal the extent of these practices and their pattern of growth or decline. In addition, it is necessary to note the manner in which the sites advertise any existing privacy policy, ask for registration (voluntary and obligatory), and deliver cookies (by notification of the user or surreptitiously). The June 1997 EPIC survey of Web sites listed by www.hot100.com (see Note 1) can serve as a point of departure for a new survey of the same sites.
From its survey, EPIC arrived at several recommendations. Web sites need to make readily apparent a privacy policy and explain how any information collected is to be used. In addition, sites must allow users access to any data collected on them. Finally, cookie usage must be made less secretive because the users should not be expected to initiate any plan to discover and monitor the cookies being passed to them. These recommendations echo those made by the Internet Engineering task Force with RFC 2109 (see Note 9) and by Netscape before the FTC privacy hearings (see Notes 10 and 36).

Not all the sites in the original EPIC survey are engaged in direct commerce with consumers, of course; the goal of the EPIC survey was not to examine the use of registration and cookies as an aid to commerce. Rather, EPIC wished to examine registration and cookies as an aid to data collection on a site's user. Trying to establish whether a particular type of data collection is malevolent or whether it actually does transgress the bounds of personal privacy was also beyond the scope of its study. Nevertheless, simply determining the amount of registration/cookie use is important to know for those who continue to see inherent dangers in such practices and who have, in many cases, already taken steps to protect their privacy while warning others of this perceived threat.

The advantage in reusing the list of 100 Web sites examined by EPIC for this present study is that this list represents a fairly stable set of sites and thus can reduce the affect of any mortality on a study to be conducted after a six-month period (December 1997). A few of these sites may have been of ephemeral interest, but such sites won't be so numerous as to effect the results [ 38 ]. Thus, the same sites were examined again between December 5-7, 1997 in order to compare its results with the EPIC survey. For every site visited, the data sought reflects four main sets contained in the EPIC survey:


The collection of personally identifiable information by various registration methods
The existence of a privacy policy
Access restricted by registration
The passing of persistent cookies
In addition, care was taken to notice the location of a site's privacy policy (if existent), and if this policy contained a cookie explanation (should the site pass cookies) or if such an explanation were found elsewhere. Unlike the EPIC survey, this study did not attempt to judge the adequacy of privacy policies or user access to personal information because much of this data is open to interpretation.