As a journalist at PC World Australia:
A recent study has found that costly regulatory systems that place strict controls and regulations on Web site operators may not have their desired effect on online security. Instead, a self-regulatory system may be the best way of encouraging browser privacy on the Internet.
Internet users are typically asked to submit some personal information before transacting online. The study, run by Karim Jamal of the University of Alberta's School of Business, analysed how this information was used by the top 100 US-based online brokerages and businesses, including popular names like eBay. These Web sites were compared against 56 similar sites based in the UK.
At the time of the study, laws that now govern US-based Web site operators were not yet put in place so the Internet was a largely self-regulated domain. UK-based online operators, on the other hand, had their actions regulated and monitored by a large government bureaucracy.
The study found that while most of the Web operators in both countries did a good job of protecting user information, operators in the UK tended to be less forthcoming in disclosing their privacy policies. According to Jamal, sites in a self-regulated environment were more open about their policies to attract the trust of customers.
About a third of US sites were certified by Web privacy seals from Truste or BBB online to further reassure customers of the sites' trustworthiness.
"We found that Web sites who had a Web seal had very good disclosure of their privacy policies - easy to find, easy to read, much [more comprehensive] than Web sites without such seals, and none of them leaked customer data," Jamal said.
Web seals were far less prevalent in the regulated UK market. Not one of the UK Web sites studied was authenticated by a Web seal. Furthermore, the study found that several UK Web sites either presented convoluted privacy policies written entirely in legalese, or simply failed to disclose their privacy policies in clear violation of the law.
"They were hard to find, hard to read and provided as little information as possible," said Jamal, suggesting that the UK privacy policies served the purpose of preventing lawsuits instead of comforting and attracting customers.
Five US and three UK Web sites were discovered leaking personal information of their customers and even of Web surfers who cancelled their transactions before they were completed. Compromised accounts in the UK received much more spam than in the US, indicating that data was sold more widely in the UK.
"There was complacency, lack of compliance and legalese," Jamal said of the regulated UK market. "The law seems to undermine development of a market for seals, undermines the incentive to provide good disclosure in the privacy policy and creates false comfort."
Meanwhile, an unregulated market has been shown to encourage investments in filters and various authentication methods, including privacy protection via ISPs and Web seals, as operators are forced to rely on their reputations to promote their clean practices.
"The law freezes existing technology issues and solutions at a point in time and it is very easy for people to work around the law," Jamal said. "Very elaborate rules can be created, but it is very easy for people who want to get around them to defeat the spirit of the rules."
Jamal's findings were published in the July edition of US journal, Business Ethics Quarterly.
