The growth of the Internet and electronic commerce has dramatically increased the amount of personal information that is collected about individuals. As consumers engage in routine online transactions, they leave behind a trail of personal details, often without any idea that they are doing so. Much of this information is routinely captured in computer logs.

Most on-line companies keep track of users' purchases. This information ranges from the trivial to the most sensitive and, unless adequately protected, can be used for purposes that seriously harm the interests of the consumer. Other companies gather personal information from visitors by offering personalized services such as news searches, free e-mail and stock portfolios. They then sell, trade, or share that information among third party companies without the consumer's expressed knowledge or consent. The perceived value of this kind of information is behind the stock-market valuations of many dotcom companies.

Spam

Many on-line companies, for example, provide lists of their customers' e-mail addresses to companies that specialize in sending unsolicited commercial e-mail (spam). Other companies mine e-mail address from sources such as messages posted on mailing lists, newsgroups, or domain name registration data. In one test by the US Federal Trade Commission, an e-mail address posted in a chat room began receiving spam within eight minutes of submitting a post.^[1] Mining or harvesting e-mail addresses produces a barrage of online advertisements. Studies show that consumers resent spam both for the time it takes to process and for the loss of privacy resulting from their e-mail address circulating freely on countless directories.^[2] Furthermore, spam can result in significant economic loss to the consumer. A 2001 report by the European Commission found that "Internet subscribers worldwide are paying an estimated EUR10 billion (~USD9 billion) a year in connection costs to receive junk e-mails."^[3] The European Union's Privacy and Electronic Communications Directive prohibits unsolicited commercial marketing by e-mail without "opt-in" consent.^[4] In Japan two new anti-spam laws were passed in 2002. The laws allow users of the Internet and text-enabled mobile phones to opt-out of spammers' contact lists, and require that all unsolicited commercial e-mail be clearly identified.^[5] 

Profiling

Many companies, including Internet Service Providers, search engine firms, and web-based businesses, monitor users as they travel across the Internet, collecting information on what sites they visit, the time and length of these visits, search terms they enter, purchases they make, or even "click-through" responses to banner ads. In the off-line world this would be comparable to, for example, having someone follow you through a shopping mall, scanning each page of every magazine you browse though, every pair of shoes that you looked at and every menu entry you read at the restaurant. When collected and combined with other data such as demographic or "psychographic" data, these diffuse pieces of information create highly detailed profiles of net users. These profiles have become a major currency in electronic commerce where they are used by advertisers and marketers to predict a user's preferences, interests, needs and possible future purchases. Most of these profiles are currently stored in anonymous form. However, there is a distinct likelihood that they will soon be linked with information, such as names and addresses, gathered from other sources, making them personally identifiable.

The most pervasive tracking technology is the cookie. The cookie is a small file containing an ID number that is placed on a user's hard drive by a website. Cookies were developed to improve websites' ability to track users over a session. The cookie can also notify the site that the user has returned and can allow the site to track the user's activities across many different visits. The use of cookies expanded greatly when it was realized that a single cookie could be used across many different sites. This led to the development of advertising network companies that can track users across thousands of sites. The largest ad service, DoubleClick, has agreements with over 11,000 websites and maintains cookies on 100 million users; each linking to hundreds of pieces of information about the user's browsing habits. It is possible to configure the common browsers to reject or send a warning notice before cookies are set. This does not provide much protection, however, as websites will often refuse access to users who do not accept cookies or send out so many repeated attempts that the user accepts the cookie in order to get uninterrupted access.

A more secretive manner of monitoring online users takes place through the use of web bugs. Web bugs are invisible graphics that are placed on Web sites or in e-mails in order to track visitors to that Web site or the recipients of e-mails (often spam). A Web bug on a Web site collects information such as the IP address of the visiting computer, the browser being used, the time of the 'hit', and also a previously set cookie value. In an e-mail a Web bug is used to discover if and when the e-mail message was read, how many times it was forwarded, and the IP address of the recipient. A marketing e-mail directing users to Web sites can also be used to link the e-mail addresses of those that later visit the site to their cookie data. Web bugs can also be used in newsgroup messages to track readers.^[6] 

In the offline world, profiling has been thriving for decades.^[7] Profiling companies build personally identifiable databases based on a plethora of sources including supermarket purchases, product warranty cards, public records, census records, magazine and catalog subscriptions, and surveys. This is done in the absence of legislation that would prevent dossier building. Companies also "enhance" dossiers that they already own by combining or "overlaying" information from other databases. For instance, a business may request a name and phone number directly from the customer, and then use this information to purchase other personal details. These dossiers may link individual's identities to any number of facts deemed private by advanced societies including medical conditions, physical characteristics, and lifestyle preferences.

The line between online and offline profiling has become more and more blurred. In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country, with information on the purchasing habits of 90 percent of all United States households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing. Following a public outcry, the company suspended its plan to merge personal data with profiles. However, in July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only "opt-out" consent.^[8]