Profiling, Personalization, and Privacy | Electronic Commerce (Charles River Media Networking/Security)

Thanks to the Web and its associated technologies, organizations now have the ability to construct complex customer profiles, which in turn can fuel the ability to market highly personalized offerings and ensure superior service. Although this can offer a competitive advantage and help win the hearts and minds of new and loyal customers alike, the related collection of personally identifiable information (PII) raises the bar on how organizations should manage and control privacy.

Accordingly, today’s e-business strategies must prioritize the implementation of a protocol-based, enterprise privacy program—one that is rooted in e-business best practices and executed on a continual and comprehensive basis to:

Build and promote trust in the marketplace.
Enhance and preserve the value of data assets.
Operate a sound platform for ongoing privacy management.
Operate consistently with multiple privacy rules and standards.
Realize substantial privacy-management choices^[1].

Net Privacy: In the Eyes of the Consumer

Many consumers are responding to ubiquitous privacy^[2] breaches with intense levels of apprehension and strategies intended to reduce readily available information in their online profiles. In response, consumer-oriented privacy solutions are flooding the industry. These include protocols designed to shield instant messages (IM) from unauthorized eyes (see sidebar, “Standardized Protocols for Private Instant Messaging”), as well as software meant to ward off Web tags, or “cookies” and other Web bugs that create detailed profiles of customer preferences and purchases. Browser-enabled applications have also surfaced, intended to guard consumer privacy by means of capturing confidentiality preferences on the frontend.

Standardized Protocols for Private Instant Messaging

Although momentum is building for a standardized protocol for instant messaging, interoperability among IM applications continues to be vexed by unresolved business and security issues. Recently, the Internet Engineering Task Force (IETF)-sponsored protocol that would be a key to interoperability was criticized for being insecure by IM software vendors such as AOL Time Warner Inc. and IBM’s Lotus Software.

The Lotus-AOL test used a variation of Simple Implementation Protocol (SIP) known as SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE). It is one of three protocols being considered by the IETF as its Instant Messaging and Presence Protocol, or IMPP.

SIMPLE is considered the front-runner over Presence and Instant Messaging Protocol and the Application Exchange protocol because AOL and Microsoft Corp., two of the biggest players in the IM space, already have SIP infrastructure in place for other products. But that doesn’t guarantee the protocol’s success.

SIMPLE has a number of problems. It doesn’t deal with group messaging at all; it’s strictly one-to-one. It has a lot of problems with the firewall. But, it does seem to be the major contender.

Furthermore, interoperable IM will require universal security among the different IM clients. But the different players don’t want to use someone else’s technology.

It’s the not-invented-here problem. If you didn’t do it; you don’t want to use somebody else’s technology. The issue is really more a political one than a technical one.

Security is an issue as well for institutions such as the U.S. Army, which uses Bantu Inc.’s Bantu IM and Presence Platform. IM has proved popular among soldiers stationed overseas who use it to communicate with their loved ones back home, most of whom are using consumer IM clients such as AOL’s AIM, Microsoft’s MSN Messenger, and Yahoo Inc.’s Messenger.

The Army has decided to live with the security hole created in the interest of preserving troops’ morale. It would be really nice if you could give 128-bit SSL encryption to every IM client out there. Bantu’s done that; it’s similar to what Lotus has done with Sametime. But, with MSN and these others, it’s like the Wild, Wild West. Maybe it doesn’t matter to teenagers, but from the business perspective, it’s an issue.

The IMUnified industry group (comprising MSN, Yahoo!, AT&T WorldNet, Odigo Inc., and Openwave Systems Inc.) recently created a protocol for client-to-server IM interoperability that would allow IM clients to interoperate, provided the user had accounts with both clients. The standard was never adopted because of business and legal issues, such as IP rights and service-level agreements.

Finally, although vendors and technologists dream of a world where IM is every bit as ubiquitous as e-mail today, many users don’t rank interoperability among IM clients at the top of their priority lists.

Though important, these initiatives only touch the surface of privacy protection. Consumer preferences must be communicated and defended throughout the enterprise (beyond the browser to individual lines of business) to ensure security and privacy even after the data is collected. Furthermore, customer information should be safeguarded at the strategic, process, and transactional levels—at every turn and click.

^[2]Vacca, John R., Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Trade, 2001.