"At the heart of the Internet culture," Andy Grove says, "is a force that wants to find out everything about you." The Intel chairman is famous for his paranoia, so it might be tempting to dismiss his statement as exaggeration. But, as the saying goes, "Just because you’re paranoid doesn’t mean that everyone isn’t out to get you."

Who is right? Who knows? It is a complicated subject. But, in the lively debate that follows, the two shed lots of light on a subject that, while much discussed, often is misunderstood.

ADAM PENENBERG: I don’t trust self-regulation. For an article in Forbes magazine that led to my book, I challenged an Internet information broker to investigate me, starting with just my byline. Within a week, he had obtained unbelievable amounts of personal information. This guy was able to pull up my bank accounts, my salary, individual checks I had written, and even whom they were made out to. He had my long-distance phone record, and found out whom I called and for how long. He had my utility bills.

People would be surprised at how much personal information is out there. In America, our Social Security number is often our identifier. That number is very easy to get. You can go on the Internet right now, and an information broker will sell you anybody’s Social Security number for $39. Eventually, technology will be able to bring together all the information you could ever want on a person. Then what?

JOHN KAMP: Private investigators could find all that about you before the Internet. They can just do it faster now.

You’re right that there is a lot of public data. But I suspect your investigator used some means that are illegal or could be made illegal, especially to get access to your bank records. I also think we’re going to figure out ways to give people more control over their data.

PENENBERG: Yet, today, the only protection for most consumers is a voluntary agreement between the Federal Trade Commission and something called the Online Privacy Alliance, which includes some 80 global corporations and associations. You go to one of their Web sites, and there’s some kind of seal certifying that they’re trustworthy. Are they? Even if they are, what about the thousands of companies that aren’t part of the alliance?

KAMP: I don’t think our views are all that far apart. My primary client, the Internet Advertising Bureau, is a member of the Online Privacy Alliance. The alliance’s position is that a company’s privacy policy should be totally transparent to the consumer. In fact, it makes good business and ethical sense for companies to give people notice. I think transparency is the basis of a reasonable relationship.

Companies should also pay attention to who has access to the information they collect, and to the security with which that information is guarded.

PENENBERG: But you’re still talking about industry regulating itself, right?

KAMP: Yes, with some clear exceptions where federal law exists—such as information involving children, money, and health matters. Self-regulation has taken us to the point where more than 90% of the most heavily used Web sites have voluntary privacy policies enforced by the FTC. These sites are subject to being busted by the FTC and state attorneys general if they violate their posted privacy policies.

My personal choice going forward—and I wouldn’t be surprised if the Internet Advertising Bureau advocated this soon—would be a law that would require notice and choice. [In other words, companies would have to inform customers about their privacy policies and would have to give consumers the choice to not have any information about them passed on to other companies.]

Indeed, I predict that Congress will pass a broad law about privacy this year. We’ll also have some form of federal standard set for privacy specifically on the Web.

PENENBERG: But it has to be the right law. Some of the legislation being considered would still require consumers to specifically opt out if they don’t want data about them to be passed around. We need a law that says companies have to get consumers’ permission before collecting and using personal data. Without that sort of "opt-in" law, we still have a huge problem.

We’re moving toward a more data-centric world. DoubleClick, Digital Island, Engage, and others are working on technology that goes beyond just compiling all the information about what someone does online [information that may be tied to the e-mail address that the online user provides or to the computer that he uses]. The new technology would link all that information to the real-world identity of the Internet user. It’s bad enough that companies, without knowing my name, are compiling profiles of me online based on how I use my computer. Imagine if they could combine those profiles with my name, phone number, address, history of catalog purchases, and so on. The linkage creates all kinds of new possibilities for invasion of privacy.

To lessen the danger, we have to do something, such as adopt the European Union’s position on privacy, which says flatly that companies can’t sell personal information gathered about their customers.

KAMP: I don’t think an opt-in law is a good idea because it places too much of the burden on companies and consumers. I also don’t think the EU system, which gives the government too much control of the data, is a good system. Culturally, Europeans have more trust in their government than Americans do, so Europeans give their bureaucracies more power. But the EU’s implementation of its privacy principles has been awful. Self-regulation in the U.S. has actually given consumers more control over their data than government regulation in Europe.

PENENBERG: I worry, though: With so many dot-com companies going out of business in the U.S., what happens to their databases?

KAMP: That’s a good question. The major case before us is the Toysmart bankruptcy. Toysmart had promised customers that it would never sell data about them but then, in settling up with creditors, tried to sell its entire database. Customers, the FTC, and others have objected in the bankruptcy court. Privacy promises by companies should survive bankruptcy. I think that we also will have to have a federal statute in that area soon.

PENENBERG: I agree. I doubt self-regulation because it has brought us companies like DoubleClick, which says it gathers information about people for their own good. [The company says that, if it can help companies target their ads to solid prospects, consumers will be less likely to be inundated with information about products they have no intention of buying.]

Not that anybody believes government will do things exactly right when it comes to privacy. In fact, among the biggest disseminators of personal information are government agencies such as motor vehicle departments. My father passed away in May, and within three days my mother, because of the death certificate, I guess, was bombarded with junk mail.

Technology may have to provide the ultimate answer on privacy. Recently, I came across a West Coast company called Privada. It’s signing on Internet service providers and has a deal with Cisco Systems. It’s going to treat Internet privacy like an add-on service. Cisco will sell a router that will eventually be in practically every home in America. Anything a consumer does from home—surfing, making telephone calls—will go through the router, and Privada will ensure that all the activity is anonymous, for about $2 a month. So, you’ll pay for online privacy much as you do for an unlisted phone number.

People will take privacy into their own hands, because self-regulation doesn’t work.

KAMP: Dozens of companies are developing versions of that. They’re responding to customer concerns, not government policy.

Some firms are working on guaranteeing a value exchange. I will reveal, for example, that I am in the market for a car, in exchange for some kind of a discount on that car. Likewise, I will often respond to a prize or incentive.

PENENBERG: That’s right. But I’d like to see an Internet environment that allows individuals to be totally anonymous, to behave, if they want, in the outrageous ways that people did at masked balls in the 18th century.

KAMP: We want to step carefully here. Early in my career, I taught libel and privacy law in college. If everybody were anonymous on the Web, people would have the opportunity to defame others without consequence. It’s one thing if I want to masquerade as a dog or pretend I’m a woman in chat rooms. It’s quite another to be able to anonymously defame a person or kill a company’s stock price.

PENENBERG: Anonymity also lets real information get out, about companies or anything else. It allows people to say things that they wouldn’t say normally.

KAMP: Beyond that, anonymity would radically decrease the efficiency of advertising on the Internet. The American people have voted with their browsers, and they have not been willing to pay for content, so, advertising supports most content sites. If advertisers can’t reach their audiences through Web sites, much content would disappear. There’s no free lunch.

If a company gives me content free, I may be willing to allow it to know a little bit about me. In fact, I would prefer that it had enough information about me to know that my kids are out of college and I’m not in the market for diapers. Thus, I get content and advertising customized to my interests and buying habits.

PENENBERG: You’re assuming that consumers have approved the current advertising model. We weren’t asked. It kind of evolved. And it’s not working that well.

KAMP: We don’t know if today’s advertising model will be the primary model going forward. But let’s be careful not to break what is working. Let me cite one powerful example. The relatively free flow of financial information in the U.S. allows us to get home loans at least one percentage point lower than similar loans in Europe. I really care about that percentage point. I think we want an information society where data are exchanged freely enough so that we can get the lowest-cost services. That won’t happen if government intrudes or we’re at a masked ball.

We don’t know what the future holds, so let’s not make precipitous choices in law or technology that systematically exclude potentially good ideas. Let’s not damp the fantastic potential of the Web.

These are very difficult issues, and there’s not a simple answer.

PENENBERG: I think there is a simple solution. The Web environment ought to be a place where people opt in. If they want to give away personal information, that’s fine. But they should actively give permission to the advertiser, as opposed to opting out, where you have to actually go to an advertiser’s Web site and pull your name out of the advertiser’s data.

I also think people should be paid for their time and trouble. If companies are going to be looking to us for market research, then they ought to pay us.

I’d like to see a lot more discussion about all these databases with people’s personal information. I want DoubleClick and companies like it to guarantee they’ll never do two things. One, sell information that they’ve acquired about me unless that’s part of the agreement that I made with them. Two, work on technology that can track my online movements and find out my real-world identity. I’d also like online companies to automatically tell me everything they know about me.

Self-regulation hasn’t gotten us there.

Penenberg can be reached at spookedauthors@yahoo.com. Kamp can be reached at jkamp@wrf.com.