May I have some privacy, please?

Judging by this month’s cover story, the second wave of the Internet is going strong. Annual revenue from online ads is expected to nearly double in the next five years to about $9 billion, offering plenty of support for the mass of startups surfing Web 2.0.

But there’s a problem that threatens to take the energy out of the wave if it isn’t addressed: Internet companies aren’t doing enough to protect the privacy of their users. The issue hit the front page in August when America Online made public the search queries of more than 650,000 users without stripping them of information that could be used to identify customers. Using the data supplied by AOL, the New York Times figured out that user No. “4417749”—who searched for “homes sold in shadow lake subdivision gwinnett county Georgia” and several people with the last name “Arnold”—was 62-year-old Georgian Thelma Arnold.

AOL has booted its chief technology because of the debacle, which is a good start, but it doesn’t address the underlying problem: Internet companies—large and small—need to adopt real privacy policies to protect their users. Instead, they are evading legitimate questions about those policies. When the San Jose Mercury News recently asked Google and Yahoo how long they kept a user’s data, they both gave a reply worthy of a government spook agency: “For as long as it is useful.”

If Internet companies maintain that sort of arrogance and continue to ignore the privacy problem, consumers will eventually get fed up and push Congress to act. And once it becomes a political issue, you can be assured that lawmakers will be driven by emotion and err on the side of over-regulation.