What if you run a Web site that includes online advertising or e-commerce capabilities? If you let an Internet ad agency place ads on your Web server, be sure you understand fully how its information collection policies sync with yours. You owe it to your customers to collect only information you truly need to run your business. We strongly recommend that you publish a detailed privacy policy that clearly states what type of information you collect, why you need it and what you do with it. TRUSTe offers a clever fill-in-the-blanks wizard, which you can use to write a decent first draft of a privacy policy. Of course, the results are pure vanilla, as befits an organisation whose primary purpose is to defuse calls for government regulation of the Internet. For a much more detailed look at the subject, read "Surfer Beware III: Privacy Policies Without Privacy Protection" (www.epic.org/reports/surfer-beware3.html). This report, by the Electronic Privacy Information Centre (EPIC) in the US, is a no-punches-pulled review of how the 100 top e-tailers handle personal data. For consumers, it offers an excellent primer on how to decipher the "legalese" in a typical privacy statement. For businesses, it also provides detailed instructions on how to create a meaningful privacy policy. The results of EPIC's study are depressing: all 100 sites collect personal information, such as names, addresses (snail mail and email), and phone numbers; and 86 sites use cookies. Only 21 of the top 100 sites appeared to limit the uses of personal information to that required for the transaction, and more than one-third include profile-based advertising without any warning to customers. Internet ad agencies rationalise profiling by explaining that it lets them personalise the browsing experience. They claim that by knowing your preferences, they can serve up banner ads which are more likely to appeal to you than randomly selected ones. Maybe so, but most Internet analysts see a more logical explanation: click-through rates on banner ads are shockingly low, so the best way for ad agencies to make money fast is to mine their data and deliver targeted lists of prospective buyers to their clients. Of course, cookies aren't the only way to siphon data from your computer to a far-off server. With the explosion in popularity of always-on Internet connections, it's amazingly easy for software developers to write Internet connection code into their releases. That's the time-honoured principle behind Trojan horse programs like Back Orifice. If a company can convince you to install the program in the first place, it has free rein to snoop through your data and transmit at will. So what happens when the Trojan horse comes in the form of trusted software? Just last year, three popular programs were discovered to be making surreptitious Net transmissions. Real Networks' RealJukebox transmitted statistics about music files to the mothership. Comet Cursors, a browser add-in that transforms an ordinary mouse pointer into a custom image at partner sites, sent serial numbers (stored in a cookie, naturally) back to a central server to track its product's usage. And a silly holiday-themed computer game called Elf Bowling wasn't infected with a virus -- as persistent Web rumours insisted -- but it did open an Internet connection capable of transmitting data. In all three cases, the impact on consumers was minimal. The real damage to the companies was measured in PR terms, as each one had to apologise to its users and somehow convince skeptical observers that its failure to disclose the hidden communications channel was an innocent oversight. However, sooner or later -- probably sooner -- an unscrupulous developer will use this capability to really steal data. Don't let it be yours. Take me to the Surveillance 2 ZDNet News special.