There have been many emails about the PepperBall, but perhaps the most emotional feedback has been about my short stories on healthcare. The cry for more efficient, effective, and affordable healthcare is universal. One reader said, "I was happy to see your take on healthcare in your recent blog. This is a field where some good IT could solve redundancy quagmires, but one of the basic problems is privacy. I think people reject the idea of their healthcare info being in a database for fear unauthorized people would be able to get at it to find out what their ‘weaknesses’ are".
Of all the issues which will affect the future of the Internet, the safeguarding of our personal information when it travels on or over the Net is likely the most important because it is at the heart of Trust — and without Trust the Net will not be able to realize its full potential. This means that information about an individual needs to be handled in a way that is consistent with the privacy and security expectations of the individual — if not, there will be no trust. I am planning a series of stories about trust. There may be other stories along the way, but this is Part 1.
MyFamily.com is a very useful site for families to share information, calendars, photos, and to learn about genealogy. As part of the registration process on the site, people are providing not only their own personal information, but also the name, email address, and (optionally) the birthdays of their children. This represents some very serious information that a person is entrusting to this web site. The management of MyFamily.com is committed to their privacy policy but what happens if MyFamily.com gets acquired? What assurance do we have that the policy will survive? How do we know that the site is safe from hackers? How do we know we can trust the I/T staff not to look at our personal family information? There are numerous questions of this nature that are not Privacy Policy per se –they are actually more about security in many cases — but questions about which people will eventually get concerned when they begin to think about the fact that they may have placed their entire family history and photo gallery on a web site.
One element of privacy on the Net is “Opt in” versus “Opt out”. When you register at a web site you will often see a small box to be checked giving you the “option” to be included or not included in subsequent emails making offers to you. Opt in means you proactively choose to be included. Opt out means you are included by default and you have to take action to be removed from the list of those who will automatically receive the emails. In some cases you have to read the words very carefully to determine which case is the default. This is part of Trust. Is the site really opening up to you and making it very clear what your options are, or are they making the words a bit fuzzy and hoping you won’t figure out what the default actually is?
Citigroup introduced a service two years ago called c2it to enable the sending and receiving of cash via e-mail. You simply visited the c2it site, specify which of your checking, savings, or credit card accounts you wanted the money to come from, and enter an email address for someone you want to send the money to. That person would then receive an email, be asked to enroll in c2it, and then accept the money from you directly into their checking, savings, or credit card account. This seemed like a potentially useful service to me when I learned about it and so I enrolled. Only after I enrolled did I find out that there were fees involved. Then I discovered that incoming amounts are not credited to your account for five to six days, which is longer than if I had received a check and deposited it myself. Then I discovered that there is no fee to receive into a Citibank credit card but there is a fee if it is another bank’s credit card. I am not saying the fees are unreasonable – the competition from PayPal and other services determined that.
The issue was trust. It would be easy to get the feeling that Citigroup was not being forthcoming about their offering. Now comes the good part – Affiliate Sharing. The enrollment page on the web site said “Citibank FSB is allowed by law to share with its affiliates any information about its transactions or experiences with you. Please check this box if you do not want Citibank to share among its affiliates any other information you provide to us or that we get from third parties”. We are talking about a sweeping allowance to provide a broad and undefined amount of information about you with a broad and undefined audience. Should the default be “check this box if you do not want” this? Seemed to me that this was an obvious case where it should have been opt in not opt out. Trust might wane a bit further.
Then came the Marketing Offers. “Citigroup may still send you marketing offers by telephone, mail and e-mail. If you do not want to receive such marketing offers, please write to the address below and include your name, address, social security number and tell us you don’t want offers by mail and/or phone and/or e-mail”. Write to us? This highly automated web site that can transfer money in and out of any account can’t have one more check box; preferably with “check here if you would like us to make offers to you”? I sent the letter and am not sure how long it took to get “processed”, if it ever was. In the meantime, I began receiving unsolicited marketing offers. Citigroup is a superb marketing oriented company but the approach with this Internet offering clearly did not build trust with new enrollees even though the company is a highly trustworthy organization.
The following now appears on the c2it website:
IMPORTANT NOTICE – c2it service has been discontinued as of November 9, 2003. All financial transactions on the www.c2it.com website have been permanently disabled.
