In my most recent two columns, I've been discussing privacy policies. Today I want to look at some of the issues that can occur when you work with other organizations whose policies may differ from yours.

One of the sites I investigated where interested parties could fill in a form to request information included some information on opting out of receiving junk e-mail and other unsolicited marketing materials from itself, its business partners, and anyone to whom it chose to sell enquirers’ names.

The Privacy Policy included the following information:

* E-mail Opt-out Options: Each marketing e-mail We send includes instructions and an opt-out link.

* Refusing Cookies: Subject to the section below pertaining to cookies and Web bugs, you have the ability to prohibit being served an advertisement based on cookie technology. We utilize reputable third-party vendors to serve advertisements. If however, you are not comfortable with cookies, you can adjust the settings within your browser to further prohibit being served a cookie. Please see the browser’s instructions to perform this task.

* The National Advertising Initiative (NAI) has developed an opt-out tool with the express purpose of allowing consumers to "opt-out" of the targeted advertising delivered by its member networks. You can visit the NAI opt-out page and opt-out of this cookie tracking

* Other Options: If you would like to opt-out of Our promotional marketing, and would like to contact Us, please send Us an e-mail at privacy@ <suppressed> .com

Most people in the security field with whom I have discussed the issue argue strongly against opting-out as an acceptable form of control over the abuse of personally identifiable information. The European Coalition Against Unsolicited Commercial Email (EuroCAUCE) has a succinct explanation of the arguments; here is my summary of the issues:

* Opt-out schemes cannot cope with the sheer scale of spamming. Spreading e-mail addresses from one spammer to another inevitably outraces attempts to react to each new source after the fact.

* It is impossible to ensure that permanent do-not-spam lists are consulted by spammers.

* There is no mechanism for supervision of compliance efforts.

* There are no enforcement mechanisms to prevent abuse.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.