8.2 User-Provided Information

8.2 User-Provided Information

Some of the most detailed, revealing, and damaging sources of personal information on the Internet are Internet users themselves. If you want to buy a t-shirt or a compact disc on the Web, you need to give that web merchant a name and address where the merchandise will be shipped. As the vast majority of the purchases made on the Web are made with credit cards, you'll probably also need to give a credit card number. And because there is a lot of fraud on the Internet, you probably won't get your merchandise without a lot of hassle unless you provide the name and the billing address for the credit card used to pay for the order.

Most web merchants go beyond the minimal information needed to satisfy online orders. For example, a merchant might ask for your email address and a few phone numbers, to allow the merchant to contact you in the event of a mishap. Many merchants set up accounts for their customers so that this information doesn't need to be entered time and again. These accounts require usernames and passwords. These accounts can be used to track a person's purchases over time. Some merchants go further, and ask their customers to provide the city of their birth, or their mother's maiden names, so that if a consumer forgets his password, another question can be asked (see Figure 8-1 and Figure 8-2).

Figure 8-1. By far, the greatest kind of personal information on the Web today is the information provided by consumers when they register at web sites.

Figure 8-2. Disney's registration page for adults asks for name, email address, gender, and birthday, in addition to mailing address. Many people are surprised how identifying even simple demographic information can be. For example, in many cases a person can be uniquely identified by day of birth (without the year) and Zip code.

At the present time in the United States, there are few restrictions on what web sites can do with personal information once it is collected. While some merchants have posted so-called privacy policies, which may outline some of their rules and restrictions on personal information, posting of privacy policies is voluntary. (For more information on privacy policies, see Chapter 24.) Many other countries have more restrictive rules about what can and cannot be done with personal information, although these countries have, for the most part, been slow to extend their legal regimes to the world of the Internet.