Security issues pose osbtacles to continued growth of online research

Privacy, please

Editor's note: Beth Mack is president and CEO of i.think inc., a Dallas research firm.

Online market research has found its niche as respondents and clients alike discover the inherent advantages the Internet offers. As a result, the online market research community is flourishing. The newsletter Inside Research reports that less than $3 million was spent in the United States in 1996 on online research. The same publication says that in 2001, that number had soared to more than $500 million.

The move to online research is attributable to the methodology's promise of speed and, in some cases, reduced costs. General Mills, for example, has stated that using online methods reduces survey time by as much as two-thirds and saves an average of 50 percent over traditional methods.

The growth of Web-based research has spawned new subject matter for testing, including Web site effectiveness and audience demographics; and the effectiveness of online advertising. At the same time, many traditional research activities have moved online such as qualitative research, concept testing, and consumer satisfaction studies.

This new medium has heightened public concern over privacy and security. Our response to these issues will be critical to the continued success of online research.

We've always worked hard to maintain the integrity of the data collected and protect respondents' private information. And we've been careful to ensure that the data was kept confidential and, when necessary, locked in secure files.

The Internet has brought those issues to the forefront because of the vulnerability of data stored on unsecured servers. Years ago, we had small worries about the possibility of someone stealing a file, or selling mailing lists without authorization. Now, with servers connected to the Internet, whole databases are at risk of being compromised by hackers, worms, viruses and a whole host of other issues that were unknown a few short years ago.

These issues are making ethics even more important in the online community to ensure that privacy is protected and that clients are served by ensuring the data delivered is trustworthy.

Trusting relationship

With this in mind, online market researchers have a high level of satisfaction to meet. There are a number of ways through the Internet to accommodate and build a trusting relationship not only with the client, but also with the research respondent. Through developing guidelines, adopting or creating a code of ethics, posting privacy statements, instituting strong security measures and acting honestly, the Internet can serve as the tool of choice for clients and respondents.

Unfortunately, consumers don't have a lot of confidence in online privacy. A study by Forrester Research found that just 6 percent of respondents - one out of 16 - trusted Web sites with their personal information. There is good reason for them to be worried. Identity theft is rising, and businesses and agencies that retain consumer information are under frequent attack by hackers. A recent FBI and Computer Security Institute study found that 85 percent of companies surveyed experienced Internet security break-ins over the last year.

Because privacy and security are closely related, they are often lumped together. But privacy policies won't solve security problems, and without Internet security, there can be no online privacy.

Privacy is possible if policies and technology are properly coordinated. The Federal Trade Commission cites four key elements of privacy. Two of them, notice and choice, are policy questions. The other two, access and security, are technology issues.

Notice and choice policies inform people how their information will be shared and allow users to opt out if they don't want that information sharing to occur. If consumers think that notice and choice policies will safeguard sensitive personal information on the Internet - and then discover that their Social Security numbers have been stolen -their confidence in online transactions will be shaken.

Because the online privacy debate has focused on notice and choice policies and overlooked security technologies, the legislative remedies don't begin to address the overriding public concerns about online theft or wrongful manipulation of sensitive personal information.

For example, the Consumer Internet Privacy Enhancement Act, which Congress is considering, has many provisions on notice and choice policies, but none on online security. The Health Insurance Portability and Accountability Act (HIPAA), whose privacy regulations have created such a furor, doesn't address security regulations. Even legislation calling for a privacy commission ignores the need to study Internet security measures.

Fortunately, some privacy legislation does reference security. For example, the Financial Services Modernization Act, which prompted banks to send a torrent of privacy statements to consumers, also requires financial institutions to safeguard customer information, protect the security and integrity of records, and guard against unauthorized access. The new cyber crime initiative pushed by Attorney General John Ashcroft also is a step in the right direction.

Strong programs

The message is clear. Either we get ahead of the issue and institute strong privacy and security programs within our industry or the government will do it for us. Our industry needs to do a better job of recognizing these are critical issues and take steps to address them within our community. On a national level, we need to educate consumers and elected officials on the link between online privacy and security. On an individual company level, we need to ensure that the data we collect is safe and that our privacy systems are well established.

Privacy notices appear invaluable in helping to ease concerns over sharing information. According to a study conducted in the spring of 2001 for the Privacy Leadership Initiative (PLI), consumers are increasingly paying attention to online privacy statements (82 percent in April 2001 vs. 73 percent in December 2000).

The study also revealed that consumers are more likely to reveal personal information if given an incentive. And while almost half (45 percent) of online users feel business Web sites are better at providing privacy notices, a majority (59 percent) still feel that businesses do not do a good job of informing consumers about what they do with their personal information.

Fortunately, over the past few years, some associations have developed ethical guidelines for the Internet to provide a consensus of what is acceptable in the online world of research. These guidelines can help the online market researcher develop their own set of guidelines for viewing by the client or respondent.

The Marketing Research Association (MRA) is just one of many associations creating an online market research ethical guide. Its Code of Data Collection Standards outlines basic rules to data collection that apply to market research and online market research.

These guidelines include:

• Respondent cooperation should be voluntary.
• The researcher's identity should be disclosed to respondents.
• The respondent's rights to anonymity should be safeguarded.
• Privacy policy statements should be posted online.
• Data security should be maintained.
• Reliability and validity of findings should be disclosed to the public.
• Researchers interviewing minors should adhere to the Children's Online Privacy Protection Act.

Customer/respondent transactions and consumer confidence are the lifeblood of a business and nowhere is that more evident than on the Internet. But these critical business elements are now under daily attack by computer viruses, online security breaches, and highly publicized hacker invasions, compounded by the threat of cyber-terrorism.

High confidence

Internet experts agree that the potential of electronic business will not be achieved until businesses and consumers have high confidence that the transactions they conduct - and the sensitive data they place on the Web - are safe and secure. Implementing the MRA's suggestions above and rigid implementation of privacy policies will go a long way toward ensuring continued growth of our industry.

Internet experts agree that the potential of electronic business will not be achieved until businesses and consumers have high confidence that the transactions they conduct - and the sensitive data they place on the Web - are safe and secure. Implementing the MRA's suggestions above and rigid implementation of privacy policies will go a long way toward ensuring continued growth of our industry.