Privacy Disclosures of Web Sites in Taiwan

Article excerpt

ABSTRACT

This research involves two phases. In the first phase, 339 ".com.tw" and 15 major ISP sites located in Taiwan were examined, in order to draw a picture of the status of Web-site privacy disclosures. The results showed that most of them failed to meet the requirements of the Fair Information Practices. More than 80% of them did not show their privacy policies, and more than 30% failed to provide any statements regarding information privacy practices. Less than 10% of the Web sites explained how privacy concerns might be satisfied and what channels might be utilized for complaint. Over 80% did not display security or privacy seals. Among the Web sites collecting personal ID numbers, credit card numbers and birth dates, only 20% declared their privacy policies. The findings indicate that in comparison to the U.S., the importance of privacy disclosures has not been widely recognized in Taiwan. Sequentially, in the second phase, this study conducted in-depth interviews with the Web-site managers to reveal the possible disclosure determinants. Besides, the possible cultural impacts on Taiwan Web-site privacy practices have been discussed. Finally, some recommendations are given.

INTRODUCTION

E-Commerce technology has developed rapidly. The development of information technologies (IT) has allowed businesses to analyze the information they collect and thus to profile their customers. Many commercial Web sites collect personal information while customers shop or browse them, even though the information might not be necessary to fulfill a transaction. Exposed to the potential threats of unauthorized personal information usages, Web users or consumers are increasingly concerned with what personal information Web sites collect, how the sites use and control the information, and what security protections the sites provide.

To examine the privacy practices of Web sites in Taiwan, a survey was conducted to investigate the contents of online shopping Web sites, free Web resources providers, and major ISP Web sites. The privacy issues involved in the Web site contents include: (1) What kinds of information are being collected (the information that users are required to fill out)? (2) Are users informed that the system would collect information, which users did not explicitly provide, but could be obtained during the system operation process? (3) Are users informed about where and how the collected information will be used? (4) Are users asked to consent to secondary usages of information, i.e. usages unrelated to the original purpose for which information was collected? (5) Do the Web sites obtain consent from information owners regarding how the collected information will be shared with other organizations? (6) Are users informed about where the collected information will be stored, and how it will be protected?

In addition, this research intended to (1) discover whether ISP Web sites, which possess enormous amounts of sensitive information, would pay more attention to privacy disclosures than other commercial sites; (2) compare our findings with those from the U.S.; and (3) explore the possible reasons involved in the decision framework behind the status of privacy disclosures.

LITERATURE REVIEW

Information and Right to Privacy

The concept of privacy can be traced back to the article "The Right to Privacy" of Warren and Brandeis (1890). Justice Brandeis of the U.S. Supreme Court stated that the right to privacy is "the right to be left alone - the most comprehensive of rights, and the right most valued by civilized men1." Westin (1967) defined the right to privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others." Clarke (1999) pointed out "information privacy refers to the claims of individuals that data about themselves should generally not be available to other individuals and organizations, and that, where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. …