Keeping Big Brother From Watching You:

Privacy in the Internet Age

A Citizens Against Government Waste Special Report
from http://www.cagw.org/publications/lookinglass/pubs.looking.privacy.htm

By: Philippa Jeffery


Introduction

In his classic novel 1984, George Orwell depicts the nation of Oceana ruled by Big Brother—government in control of all aspects of life through constant video surveillance and the control over peoples’ beliefs and opinions. The Thought Police, charged with maintaining order and love of Big Brother, keeps careful watch over—and control of—the citizenry. The vain struggles of Orwell’s protagonist to win a small slice of liberty serve as a stark allegory of totalitarianism’s threat at the dawn of the Cold War.

While America today clearly does not resemble Oceana, the advent of the Information Age raises old concerns about protecting personal privacy and proprietary information, including medical and financial data, from the government, private companies, and other individuals. Information on one’s personal habits is increasingly gathered through myriad transactions, including credit card charges, cell phone calls, and check card purchases at the local grocery store. While these activities are generally financially secure, data from such New Economy tools can be used to keep track of people’s personal preferences. In today's world, Orwell's concerns can shed light on the collection of personal medical or financial information by federal government agencies, and the sharing of that information with other agencies to be used against the purpose it was collected for.

The difference between privacy in the public and private sector is clear. In the public sector, the citizen has no choice but to provide the federal government with legally required information in the form of tax returns, a Social Security number, student loan information and other data to the federal government. It is precisely because of this authority that the government has the highest legal and moral obligation to ensure that this information is protected, especially as citizens have little recourse to compensation if it is used incorrectly.

In the private sector and on the Internet, however, the citizen has numerous options to withhold information—the ability to disable cookies, use P3P technology built into browsers, and examine a site’s privacy policy and move on if the provisions are unsatisfactory, just as one would walk out of a store with poor service or quality in the offline world. Additionally, if users feel the site is not complying with its posted privacy policy, just as they do when a business promises and fails to keep personal information private, while causing harm, they have recourse to legal action. Furthermore, since April 2000, the Federal Trade Commission (FTC) has had the right to bring enforcement actions and impose civil penalties for violations of privacy law.

The key to privacy is choice in providing information—it can be controlled in the private sector, but in the government it’s compelled by law.


Privacy and the Federal Government

Today, the federal government collects more personal, medical and financial information about people and their families than any other entity. It is unlikely that many Americans are aware of the extensive information gathered about them and controlled by the federal government. Your name, address, race, income, student records, medical history and other data is on magnetic tape or other media all over Washington, D.C. Here are just a few examples:

  • The Commerce Department—Individual and Household Statistical Surveys, which include an individual’s name, age, birth date/place, sex, race, home/business phone, address, family size and composition, patterns of product use, drug sensitivity data, medical/dental/physical history, and such other information as is necessary. Other lists include Minority-Owned Business Survey Records and Users of the Public Room of the Patent & Trademark Office.
  • The Department of Education—National Student Loan Data System and a Registry of Deaf-Blind Children/Regional-National.
  • The Department of Energy—Records of Alien Visits, Counterintelligence Investigative records, records of power sales to individuals, as well as Human Radiation Experiments records.
  • The Federal Bureau of Investigation—FBI Central Records System, Alien Address reports, the Witness Security Files Information System, and parole records.
  • The Department of Health and Human Services—massive quantities of medical records in the National Claims History Billing and Collection Master Record System and the Person-Level Medicaid Data System.
  • The Department of Housing and Urban Development (HUD)—Single Family Research Files, mortgage files, Income Certification Evaluation Data Files and Tenant Eligibility Verification Files.
  • Department of the Interior—Individual Indian Monies database, Indian Student Records and lists of Foreign Visitors and Observers.
  • The Department of Justice (DOJ)—Inmate Physical and Mental Health Records System and other information related to prisoners, as well as an Information File on Individuals and Commercial Entities Known or Suspected of Being Involved in Fraudulent Activities. DOJ also holds Registration and Propaganda Files under the Foreign Agents Act of 1938, and tracks citizen’s purchases under the DEA Essential Chemical Reporting System. The Department is also home to the Automated Intelligence Records System known as Pathfinder.
  • The Department of Labor—Applicant Race and National Origin System, Injury Compensation System, National Longitudinal Survey of Youth and a Workers Compensation database.
  • The Social Security Administration—Information on the lifetime earnings of all Americans as well as certain information relating to insurance, health care and census data. Databases include the Matches of Internal Revenue Service and Social Security Administration Data with Census Survey Data, the Kentucky Birth Records System, and databases on Cuban and Indochinese refugees.
  • The Department of the Treasury—The FinCEN Database, which contains millions of reports on the banking activities of individually named citizens, as well as a database of relocated witnesses. It also has files of derogatory information about which no action has been taken, Electronic Surveillance Files, and the Office of Thrift Supervision’s Confidential Individual Information System. Within the IRS, there is now a National Database of New Hires, which holds records of the income of every working American.

The National Database of New Hires was established in 1996, and requires that all employers report identifying information about all new employees for inclusion in the database. This database is being used to enforce state child support orders. New employees must be entered into the database whether they have violated a child support order or not, whether they have children or not. The IRS, the Social Security Administration and the Justice Department will also all be able to access the database.

Lately, the growth in government databases has created some disturbing, almost Orwellian trends, as information from one federal agency has been freely given to another to create a catch-all umbrella database, capable of building up a complete profile of an individual from records faithfully supplied to the federal government in trust by the citizen. According to a recent report released by the privacy think tank Privacilla, there has been an alarming increase in the amount of personal information that federal agencies collect and share with one another, including 47 separate instances where federal government agencies announced their intent to exchange personal data and combine it into their own databases.

An April 2001 report by the Senate Committee on Governmental Affairs shows why this could be a dangerous trend. The committee found that people who log onto dozens of federal government Web sites can be unknowingly tracked, despite a privacy policy forbidding it. The report, culled from audits of 16 agencies, found 64 federal Web sites used files that allow them to track the browsing and buying habits of Internet users. These were not random examinations. Jupiter Media Matrix, a company that tracks Internet usage, estimated 3.5 million visitors clicked on the Education Department’s Web pages in March and 2.2 million visited NASA sites.

In total, seven federal agencies have software that collected unauthorized information from visitors, including the Transportation Department’s 23 Web sites, the General Services Administration’s 15 sites and the Energy Department’s 11 sites. Federal agencies are blatantly ignoring the law stating that this kind of software can only be used when there is a compelling need, and even in these instances, Web sites must explicitly inform Internet users about the practice.

This report brings to light one of Orwell’s worst fears—not only are government agencies sharing private, personal information about individual citizens and failing to inform them, but they are also overstepping checks and balances designed to prevent such abuses from occurring. Governmental Affairs Committee Chairman Fred Thompson (R-Tenn.) emphasized that the government was technologically challenged when he said that "the Administration is not enforcing the laws that Congress passed" and that the federal government’s underlying infrastructure is "riddled with vulnerabilities which represent severe security flaws and risks to our national security, public safety, and personal privacy."


Security ... What Security?

The Senate Committee report represents the tip of the iceberg when describing the government’s abysmal track record of protecting sensitive information. In a survey conducted in March 2001 by the FBI and the Computer Security Institute, 85 percent of the companies and governmental agencies surveyed indicated that they had detected computer security breaches in the previous twelve months. Identity theft alone has increased year after year.

Without proper safeguards, the merging of government databases poses an enormous risk, making it easier for individuals and groups with malicious intent to intrude into inadequately protected systems and use such access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against computer networks and systems. The General Accounting Office (GAO) cited several serious computer security incidents that have occurred since early 1998, resulting in damage and disruption to agency operations. As a result of these weaknesses, computer systems and the operations that rely on the systems were highly vulnerable to tampering, disruption, and misuse from both internal and external sources.

Not only does the federal government have inadequate protection for this highly sensitive information, they are guilty of a greater hypocrisy: as consideration is being given to regulating online privacy, federal agencies don’t even follow their own rules on the privacy of shared personal and financial information. GAO testified in September 2000 that both the FTC and the government as a whole failed to live up to the privacy standards that the FTC asked Congress to impose on the private sector.

Moreover, the House Government Reform Subcommittee on Government Management, Information and Technology found the federal government's computer security so lax it merited a D- grade overall. The best agencies were the Social Security Administration and the National Science Foundation with Bs, but more than one quarter of all agencies received an F, including the Departments of Labor, Justice, Health and Human Services, and the Small Business Administration. The most disturbing grade was received by Department of Defense, whose computers carry some of the nation’s most sensitive secrets, and which earned a D-plus for its computer security program.

Subcommittee chairman Steve Horn (R-Calif.) called the report "dismal" and underlined that there is "no room for complacency, for the stakes are simply too high." House Majority Leader Richard Armey (R-Texas) concurred with this sentiment in April 2001 when he said that "there are plenty of things we can do to improve the way the federal government uses personal information—both in the bureaucracy and in Congress. We should clean our own house before dictating solutions to others."

In the name of transparent and even more efficient government, a great number of federal databases are kept online—a laudable goal that can make life easier for the average American. However, improved access can easily be abused if the security of these files is not held to the highest standards.


Agency Abuses and Failures

 

One example of a federal agency which has breached its own guidelines on privacy time and again is the Internal Revenue Service (IRS)—an agency one would assume to have the most stringent security controls considering the type of information it handles. In 1995 for example, more than 500 IRS agents were caught illegally snooping through the tax records of thousands of Americans, including personal friends and celebrities. Only five were fired for that gross misconduct.

In February 2001, GAO issued a report concerning information security in the IRS. GAO discovered that during the 2000 tax filing season, the IRS did not adequately secure access to its electronic filing systems or the electronically transmitted tax return data these systems contained. The auditors found that no encryption was used to protect tax return data on e-file systems—an eye-popping lapse in security—and even demonstrated that they could access a key electronic filing system using a common handheld computer.

The IRS had failed to construct firewalls and similar perimeter defenses to protect these files, giving the average hacker easy access to high level sensitive data. While the IRS stated it did not have evidence that any intrusions occurred or that intruders accessed or modified taxpayer data on its e-file systems, the agency also did not have adequate procedures to detect such intrusions at the time. The IRS wasn’t even aware of GAO’s testing of its system vulnerabilities.

In addition, GAO found that the IRS did not implement adequate password management and that IRS personnel often "turned off" network control devices in order to speed up the processing of electronic tax returns. The agency also processed electronic tax returns and paid refunds without a taxpayer’s signature—the practice that certifies the return is true, correct, and complete to the best of the taxpayer’s knowledge. This means that the IRS paid refunds of about $2.1 billion on electronic tax returns that were not authenticated by taxpayers as of August 24, 2000.

The failure to catch such mistakes and the lack of modernization generally within the IRS has cost taxpayers millions of dollars. For example, the IRS’s Cyberfile project, designed to enable taxpayers to file returns from home, cost taxpayers $17 million—and it never even worked. The agency also spent $251 million before canceling as "worthless" its Data Processing System, which was designed to scan and store tax forms. The IRS’s penchant for waste and abuse is well-documented and is, according to GAO, related to lack of expertise, lack of accountability at both the IRS and the Treasury Department, and lack of continuity among senior IRS officials.

Electronic returns provide some of the most damning evidence against the IRS, especially as the IRS asserts in promotional material that the security and privacy of tax return data filed electronically is "assured". What the IRS did not disclose was that taxpayer information was not encrypted as promised, but sent in clear text, so that the transmission could be viewed, modified or copied unbeknownst to the sender. According to GAO, the IRS also approved individuals as e-file trading partners who possessed unpaid tax liabilities, filed late tax returns, filed false tax returns, or were assessed Trust Fund Recovery penalties.

While the IRS is one of the worst offenders, most other agencies are also technologically challenged. In its April 2001 testimony before the House Energy and Commerce Subcommittee on Oversight and Investigations, GAO summarized the information security audits that had been performed since July 1999 at 24 major departments and agencies. A few examples of weaknesses in federal government computer systems demonstrate the danger not only to individual privacy, but also to national security:

  • A hacker group called "PoizonB0x" defaced numerous government Web sites, including those of the Department of Transportation, the National Science Foundation, the National Oceanic and Atmospheric Administration, the General Services Administration, and the Office of Science and Technology Policy.
  • In February 2001, the Department of Health and Human Services’ (HHS) inspector general reported "serious control weaknesses affecting the integrity, confidentiality, and availability of data maintained by the department." The greatest weaknesses were at the Health Care Financing Administration, which in fiscal year 2000, processed more than $200 billion in Medicare expenditures.
  • In June 1998, the Environmental Protection Agency (EPA) was notified that one of its computers was used by a remote intruder to gain unauthorized access to a state university’s computers. Although software updates were available to correct the vulnerability, EPA had failed to install them.
  • In June 1999, a similar failure to update software over a three year period allowed an intruder penetrate an Internet Web server at EPA’s National Computer Center. The hacker exploited a control weakness specifically identified by EPA about three years earlier during a previous penetration of a different system.
  • In September 1999, an individual who no longer had an official affiliation with EPA gained access to an agency computer and altered the computer’s access controls, thereby blocking authorized EPA employees from accessing files. In simple terms, EPA failed to remove the individual’s access codes to its computers after he stopped working there.
  • At one agency, 11 procurement staff members possessed system access privileges that allowed them to individually request, approve, and record the receipt of purchased items. In addition, 9 of the 11 were allowed to edit vendor files, allowing them possibly to append fictitious vendors to the file. GAO identified 60 purchases, totaling about $300,000, that were requested, approved, and receipt-recorded by the same individual in fiscal year 1999.

GAO called these lapses in information security "a widespread federal problem with potentially devastating consequences." Weaknesses in the policies, procedures, and technical controls that apply to an agency’s information systems and their operation "placed a broad range of critical operations and assets at risk for fraud, misuse and disruption. In addition, they placed an enormous amount of highly sensitive data—much of it pertaining to individual taxpayers and beneficiaries—at risk of inappropriate disclosure."

These lapses in security have been so pervasive for so long that since 1997 GAO has placed information security on its high-risk list.

The Bush Administration has recognized that these failures need to be remedied. As part of this effort, the Commerce Department has announced a new position to protect its sensitive information and respond to questions citizens might have relating to privacy and the federal government. The President’s fiscal 2002 budget contains $100 million over three years for an interagency electronic government (e-gov) initiative. In addition, the budget calls for increased access to information and services through the Internet, which would include "transactions with the public along secure Web-enabled systems that use portals to link common applications and protect privacy." The administration's goal is laudable as long as agencies take their responsibilities to protect personal data seriously and invest sufficient resources to prevent abuses.


The Threat of Government Regulation of Privacy

 

During the last few years, executive agencies and Congress have been making ever louder noises about privacy laws and regulations for the private sector, despite the hypocrisy of the federal government’s own failed attempts to protect sensitive information. In May 2000, a majority of the Federal Trade Commission (FTC) agreed that legislation would be needed to "supplement self-regulatory efforts and guarantee basic consumer protections." FTC Commissioner Orson Swindle dissented vehemently from this decision, calling it an "unwarranted reversal" of previous FTC support for self-regulation, concluding that legislation could impose "costs or other unintended consequences that could severely stifle the thriving New Economy."

In addition to the FTC’s foray into privacy regulation, the National Association of Attorneys General (NAAG) dedicated its summer 2000 meeting to the issue of privacy. NAAG decided upon a set of "Privacy Principles" that it would offer to Congress as a foundation for federal privacy legislation. The principles themselves seem innocent enough, consisting of notice, choice, access, security, and enforcement/redress. However, when read in detail they seem severely suppressive in their monitoring of the online industry. Under "Notice," for example, the user must be aware of the identity of the entity collecting the data, how it will be used, its potential recipients, whether the requested data is given voluntarily or not, and the consequences of a refusal to provide the requested information. This does not give the company collecting the data much flexibility over how it will be used, a huge disadvantage in areas such as marketing.

Several industry associations have expressed concern over both the NAAG principles and congressional activity. The Association for Competitive Technology was "particularly troubled with the notion that comprehensive privacy legislation is necessary." The Association of National Advertisers agreed, stating that "imposing cumbersome or overly restrictive rules in the electronic marketplace could destroy the interactive value of the Internet." Comments from the Information Technology Industry Association expressed concern that by "encouraging precipitous and unnecessary regulatory steps intended to enhance privacy, the NAAG Principles may actually give consumers fewer choices and, as technology changes, less privacy." FTC Commissioner Leary also stated that a "focus only on online privacy issues could ultimately have a detrimental impact on the growth of online commerce" because "online companies will be placed at a competitive disadvantage relative to their offline counterparts."


Legislative Initiatives

 

To date, more than forty bills related to privacy have been introduced in the 107th Congress related to medical data, marketing practices, and financial information. Three hearings have been held on the subject through April 2001.

Among the most sweeping proposals is H.R. 89, the "Online Privacy Protection Act of 2001," sponsored by Rep. Rodney Frelinghuysen (R-N.J.). The legislation requires Web site operators to provide a process for individuals to consent to or limit the disclosure of personal information collected online. It also allows the states to enforce provisions of the act by bringing action on behalf of residents.

Rep. Anna Eshoo (D-Calif.) is the sponsor of H.R. 237, the Consumer Internet Privacy Enhancement Act. The legislation would make it unlawful for a commercial Web site operator to collect personally identifiable information online from a user, unless the operator provides notice and an opportunity to limit the use of the information or disclosure to third parties. The notice would have to include the identities of the Web site and any third party collecting the data, with a link to the third party Web site.

Other measures that have been proposed in the 107th Congress include the establishment of a Privacy Commission (H.R. 583), which would report on issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting such privacy and allowing appropriate uses of information. H.R. 347, the Privacy and Disclosure Act, requires the FTC to prescribe regulations to protect the privacy of personal information collected from and about individuals on the Internet and to provide greater individual control over the collection and use of that information.

What often goes unrealized is the cost of such federal intervention. A May 2001 study concluded that U.S. companies doing business online would have to pay $9 billion to $36 billion to modify their Web sites to comply with proposed privacy laws. Moreover, small businesses would be hit hardest, since they own the great majority of working Web sites. The study concluded that further regulation of online privacy is not necessary because the direct costs of compliance could be substantial, the benefits have yet to be quantified, and the marketplace is responding to consumer demands.


Legislating is Slow, Cumbersome, and Inflexible

 

A major drawback of government action on privacy is the inability of the government to keep up with technology. Changes in the high tech marketplace occur far faster than politicians can act. Passing legislation takes time, and policies applicable today would quickly become obsolete.

Such mandates also limit consumer choice and personal preferences, a key benefit of online use. Software releases begin at 1.0 and can go up as far as the technology permits. These new and improved versions meet consumer demand, yet legislation has no built-in mechanism to do this. There is no expectation of future versions of legislation as there is no expectation that laws will be changed quickly, or ever. Companies can quickly change their policies without legislation. Any regulatory scheme would not be able to respond to a vibrant and competitive marketplace the same way that businesses can.

In addition to the lengthy legislative process, the regulations necessary to implement a law take months or years and Congressional oversight is usually abysmal. Promulgation of regulations also creates interest groups with a desire to maintain that law. Government regulations are also extremely inflexible. Once a major law is passed, it tends to establish a regulatory framework that lasts for a long time. It will "freeze technology," destroying incentives for innovation, since innovation will not satisfy the government’s requirements.


The Diverse Needs of a Diverse Industry

 

Online companies are spread across the economic spectrum. A network hardware company like Cisco has very little in common with AOL/Time Warner’s news and entertainment business, which in turn shares little with an Internet service provider (ISP) or Web-hosting company such as Netcom. And yet government regulation is by necessity of the "one-size-fits-all" variety which would lump these diverse companies under the same piece of legislation.

Just as online companies reflect vastly diverse sectors of industry, so too do Internet consumers, who also have different preferences when it comes to the level of privacy they prefer. The private sector is solving this issue itself, by allowing individuals to specify whether they want to make themselves anonymous while searching online, or whether they wish to give a certain amount of their information to marketing companies as they see fit. Incorporating such nuances into a standard federal regulation would be difficult, and any resulting privacy notice would have to be exceedingly complex, causing many people to ignore them or simply refuse to go online. That argument does not mean the government should refuse to intervene if the private sector fails to provide the flexibility and technology to address privacy concerns, but it does provide a cautionary note for federal intervention.


The Case for Private Sector Self-Regulation

 

Online commerce was the fastest growing industry of the 1990s and will continue to grow rapidly in the future. As a result, more than ever, people have access to information and resources they never would have thought possible in their parents’ generation or even a decade ago. The Internet’s simplicity and convenience have allowed people to purchase anything from household groceries to spare car parts online and have them delivered to their door. The regular use of e-mail has become the norm across generations and thousands of high tech jobs have been created, a factor which has underwritten economic growth in the 1990s.

All this activity has occurred in an atmosphere of very little regulation, allowing a fledgling industry the freedom it needed to flourish. If any legislation had been enacted at an early stage of the Internet’s development, it could have had the disastrous result of stifling the creative energy being devoted to making an Internet where all can feel safe. And this possibility is still a very real concern to an as-yet largely unregulated online community.

Large companies such as McGraw-Hill already have whole departments working solely on privacy policies to ensure they keep up to date on changes in technology. An annual report is published for customers about changes to the privacy policy and periodic audits of the policy are undertaken throughout the year to ensure compliance. There are privacy personnel employed in each business unit of the company to train people on the subject and for customer contact in case of complaints. The company has admitted that these measures have cost them millions of dollars, but have stated that they would enact them with or without regulation as it is in the customer’s, and therefore their own, best interest. Other companies such as AT&T send an annual written privacy notice to each customer and maintain a "do not call" list of customers.

Many other companies have said that they prefer the self-regulatory approach to the government-regulated approach, as self-regulation would give them the flexibility to respond to market forces and consumer choices, while balancing cost-benefit considerations. When it comes down to the bottom line, if the consumer doesn’t like the site’s privacy policy, they can vote with their mouse and leave the site.

Regulatory constraints can be a major factor in the survival of Web businesses. The Forrester Report stated that compliance costs of government legislation for the Reed Elevier/LEXIS-NEXIS group would be $44,000 to $1 million per year. Privacy compliance costs real dollars, more than many businesses can afford. So why not let market forces influence industry practices instead of artificially changing the marketplace? As Americans know too well, once government intervenes in any industry, it is there to stay, and it doesn’t stop at the first step on the ladder to greater control.

Intel Chairman Andrew Grove goes against the grain by supporting government regulation of what he calls "personal property" on the Internet. He believes the prospect of facing 50 state regulations and hundreds worldwide would impose huge costs on technology. While Grove has a point regarding the cacophony of laws that govern world commerce, at least in the United States the prevailing industry view regarding the Internet is that self-regulation must be given every opportunity to succeed in creating an international privacy standard before the government steps in.

The alternative to government regulation is a combination of public education, consumer pressure, new technologies, and privacy policies that act as privacy contracts. Consumer pressure can have a remarkable effect, as Amazon.com quickly learned, when it allowed customers to opt out of its "purchase circles"—a published list of purchasing patterns—after some of its customers voiced opposition. In a similar case, America Online (AOL) was flooded with protests and watched its stock sink after announcing it would sell user information. They quickly dropped that idea.

The information technology industry recognizes that protecting personally identifiable, sensitive information is important to its customers—so much so that it is often a prerequisite to shopping online. To protect such information is vital to the very survival of online businesses. Microsoft’s Chief Operating Officer Bob Herbold stated that Internet privacy protection is a top barrier to the continued growth of e-commerce and that it is necessary for businesses to tackle this issue or they will see profits fall very quickly—an excellent example of market forces at work.

 

The irony of the new focus on online privacy is that the Internet is one of the easiest places to control the use of personal information, particularly if attention is paid to what can be done to protect the data. There are already many tools online to protect privacy for consumers. Following are five highly effective private-sector alternatives to government regulation:

1. Company Policies as Effective Oversight

The number of sites which now have privacy policies has increased from 14 percent in 1998 to 88 percent last year. Many companies provide resources for establishing privacy policies. For example, the Privacy Council offers audits, consulting services, assessments, training and seminars to help companies set up privacy policies. These seminars educate professionals, businesses and their clients and consumers on privacy issues and solutions in a marketplace that is becoming increasingly lucrative as private sector demand rises for such services. Direct Marketing Association Interactive (DMAI) simplifies the procedure further, requiring the client to fill out a questionnaire on DMAI’s privacy generator. The privacy policy will then be e-mailed to the client for editing before being posted to the Web site. DMAI even allows the client to update the policy as needed. Finally, Microsoft’s Privacy Wizard is a free online tool that allows businesses to create and post comprehensive privacy policies on their Web sites. It has generated 18,000 policies with 12,000 completed and 8,000 posted by Web sites.

The scope and content of Web site privacy policies has improved as well. The Hewlett-Packard Web site, for example, has a privacy policy that is four pages and more than 2,100 words long. Amazon.com has a 1,500-word policy that includes the ability to set Customer Communications Preferences. Both Web sites explain what they do with the information that consumers provide; how they collect and use it; whether or not the information is shared with others and how consumers can control that process; how they use cookies; the security of transactions; and other policies that affect online activities.

Many Internet companies have gone to great lengths to protect the privacy of their visitors and thereby exposed themselves to liability if they fail to live up to their promises. They know privacy is good business. Moreover, some large companies, including IBM and Walt Disney, take the issue so seriously that they do not advertise on sites that do not post privacy policies.

2. Seals

The second tool the online industry is using to regulate itself is the seal program. A seal is validation by an independent, trusted third party which can be used to connote both compliance with privacy policies and an easy method for consumers to contact the seal provider. This technology is ideal for small businesses, which often don’t have the resources to fund entire privacy departments.

A seal will establish that a Web site’s privacy policy is accurate, comprehensive, prominently displayed, completely implemented and accessible. It also alerts consumers to the complaint resolution mechanisms through which complaints are handled. Periodic reviews or auditing of certain sites are also used to maintain compliance. Notice can be given to the site if it is no longer compliant with the standards, and this information can be made a matter of public record.

The Online Privacy Alliance (OPA) supports this type of protection, stating that seal programs should be objective and build legitimacy with consumers. Seal providers should solicit and consider input from the business community, consumer/advocacy organizations and academics in formulating their policy. The OPA suggests that seal providers should make their seals accessible, affordable (especially to small businesses), and comprehensive enough to cover sensitive and non-sensitive information. The OPA also suggests that seal providers be able to handle consumer inquiries and complaints and that its seal be widely used and recognized.

TRUSTe and BBBOnline are examples of accepted seal programs, which certify that member Web sites have a privacy policy that adheres to certain minimum standards. BBBOnline is literally the Better Business Bureau online, and TRUSTe is a nonprofit rating organization created by CommerceNet, the Electronic Freedom Foundation, and a few dozen e-commerce corporations. TRUSTe conducts tests on member sites to ensure continued compliance with its standards, and allows its logo to be displayed on the member’s homepage. It also tests on a regular basis to make sure the site is following up on its own policy. Member companies are bound by a legally enforceable contract to follow their own privacy statements.

3. Education

Consumer knowledge of privacy online is sorely lacking. In order to prevent the government from stepping in to "protect" consumers due to their own supposed ignorance, the private sector must do a better job of educating online visitors. Despite the already existing system for protecting private information, concerns about Internet transactions have grown. People will lock up their cars before leaving them on the street, but there is little understanding as to what they need to be secure on the Internet.

There is a Big Brother fear that some unknown entity is gathering information and nothing can be done about it. This fear is mostly linked to the dissemination of secondary and aggregate information, rather than the primary information the citizen knowingly gives to parties such as a doctor or accountant. The unease may be rooted in e-commerce’s impersonal nature (one can argue directly with customer service in a store or with a credit card company on the phone if a transaction goes sour), and the stark reminder that one is entering a "secure" area when making purchases. Legislators may exploit these fears of an Internet "eye in the sky" to push through draconian legislative measures.

According to Forrester Research, 65 percent of consumers are "very concerned" or "extremely concerned" with online privacy, and those fears led to a loss of $4.2 billion by e-commerce companies in 1999. The Pew Internet & American Life Project also released a study in July 2000, which stated that more than half of Americans would want new laws to protect themselves from government and other kinds of unwanted surveillance online, and less than a third trust government officials to make the right choices.

Several Web sites, such as NetPrivacyPower.org, are already educating the public about online privacy through consumer campaigns by providing information about how to protect yourself online, including how to verify your browser security level, browse anonymously and reject unwanted cookies. Dell has an "E-ssentials" campaign with advice on keeping your password secret, understanding financial security on the Web, avoiding viruses, and viewing your rights on the Web.

Companies like Privada teach seminars on how to write privacy policies. These training entities have observed that in the last few years, companies have changed their attitudes towards such policies and incorporated them into their Web sites, while also changing what they define as sensitive information and protecting it to a greater degree.

Microsoft is promoting an educational campaign to inform consumers with privacy statements that are simple to find and written in clear and understandable language. As a result, customers will be able to easily review and change their information.

4. Browsers and Cookies

The fourth security tool available in the online industry is browsers and cookies. All browsers can be set to accept all "cookies," be prompted to accept some cookies, or be set to disable all cookies. For those not familiar with the Internet, these cookies are inedible—they are actually pieces of text that enable Web sites to identify repeat visitors. When a consumer returns to the same Web site, their own computer sends back the cookie, letting the site know they are back. Cookies have a unique identifying number, which lets the Web site keep track of what they do on the site. It may lead the consumer to the area they visit most frequently, or even provide an ad that addresses their personal interests.

Secure Socket Layer (SSL) browsers display a security icon—a locked padlock in the lower left corner of the window for example—to indicate a secure site. These browsers also determine whether the receiver of an e-mail is an imposter by asking for a certificate issued to the site by a Certification Authority (CA) such as Equifax, GlobalSign or VeriSign.

While cookies sounds quite Orwellian, the information they contain is initially limited to the user’s online provider’s server and his or her type of browser and computer. Accepting a cookie does not give a Web site access to any personal information, other than the data one chooses to share with the company. Additional information comes from the user, through registration at a Web site or purchase of a product that includes personal information.

If one wishes to keep such information private, there is usually a way to control how much personal information is shared, such as not providing any of it at all, or checking a box indicating one’s preference. Some companies state clearly they will not share the information, but will use it only to provide additional product information or special offers. This increases the efficiency and effectiveness of a visit to a Web site, and often leads to specific responses geared to one’s specific interests (somewhat like an online salesperson).

If this process makes people uncomfortable, it’s not a good reason to avoid going online. It is a good reason to take the time to change browser preferences to disable cookies or be alerted when cookies are being sent. It is possible to simply edit and/or delete cookies from computers without causing any harm to your system. Cookie managers and blockers exist in every browser on the market. Companies will even educate users as to how this can be done via their privacy policy—where one can learn how to control which cookies to accept, how to access cookie files and how access to that site would be affected if cookies were refused.

Fear about cookies is unfounded. Amazon.com, for example, uses them to personalize the log-in page, make suggestions regarding the type of books one might like to read, respond to requests, customize future shopping, improve their online store, study market trends and improve productivity. This targeted marketing provides customer content and relevant information to the buyer. Just imagine if the real world were organized that way and one was able to walk into Macy’s or any other store and immediately find similar purchases to those made in the past, in a range of colors and all in the right size at the front of the store. Cookie personalization makes this possible online.

However, no amount of personalization will make people shop online if their security is compromised. Amazon.com, for example, shares personalized information only with third party companies that deliver services such as fulfilling orders, delivering packages, analyzing data and providing marketing assistance. Beyond those obvious needs, Amazon.com will give the consumer notice when the information may be shared with other third parties, and the consumer has the option not to share that data. Hewlett-Packard states in its privacy policy that it will not "sell, rent, or lease your personal identifiable information to others" and that "your permission is always secured first, should we ever share your information with third parties that are not acting on our behalf and governed by our privacy policy."

It is in this way that the private sector has responded to consumer demand for secure online transactions and protection of personal information. These and other Web sites and others legitimate the tracking of consumer information, limit the collection of information to strict marketing purposes for consumer convenience and do not share the information to third parties without express consumer consent. In this manner, private companies track consumer information to better serve customers; governments may have other purposes.

5. Private Sector Protocol (P3P) and Other New Technology

Fifth in the list of private sector alternatives, the development of new technologically advanced tools gives individuals greater control over their personal information. A widely supported effort is P3P, which stands for Platform for Privacy Preferences. It was engineered at the World Wide Web Consortium (W3C), a consortium of 434 members, including the largest players in the Internet, such as AOL, Cisco and Microsoft. P3P enables Web sites to express their privacy practices in a standard format that can be retrieved automatically by user software "agents." This represents a broader approach than simply controlling cookies.

P3P communicates the user’s privacy preferences to the Web site the user is currently viewing, laying down the limits to which the user is prepared to divulge personal information. A user could provide the Web site with past purchasing information, for example, but refuse to give an address or telephone number. This gives the user complete control and choice over how much and what kind of information is given to each Web site.

There are many other innovative methods to protect privacy. Network Associate’s Net Tools Secure Suite provides encryption, authentication, policy management, anti-virus, and intrusion-detection technology, mostly for commercial users. Anonymizer allows one to surf anonymously, by providing an untraceable alias, offering anonymous e-mail and Internet access. Freedom is a similar company that will charge $50 a year to provide up to five online aliases and allow anonymous profiles. Freedom is a product of Zero Knowledge, a Canadian company based in Montreal, and does not have to follow U.S. law. As a result, it can use stronger encryption than similar American products.

Bell labs and AT&T have developed "Crowds" which uses a virtual "crowd" of people to hide one’s identity while surfing. Users are placed in random groups. Each time one instructs a browser, the command is randomly routed through the machine of someone else in the group so that it is impossible to track a group member individually. The Onion routing system, under development by the Naval Research Laboratory, keeps third parties from tracking surfing activities by randomly moving messages through a series of routers before the message reaches its destination.

One of the most inventive of the emerging technologies is Lumeria, a site that hides individually identifiable data and then allows the user to charge companies to see it. This California-based company believes that if personal information is valuable to businesses then they should pay for it. The free portion of the new service can also place users on a "do not contact" list for direct marketers.

Hailstorm is a service being developed by Microsoft which is oriented around users, instead of a specific device, application, service or network, taking advantage of the .NET technologies and architecture that make it possible for applications, devices, and services to work together. It creates an information "hailcloud" in which all personal data is stored—an electronic address book, contacts, calendar, documents, wallet, favorite Web sites—all of which are interconnected and can be accessed from anywhere at any time. Adding a friend’s phone number on one’s cell phone will also update that information in one’s computer, for example. Making an airline reservation online will automatically register the travel details onto the online schedule, inform the travel agent of the relevant frequent flyer number, window or aisle seating preference and whether a special meal is required.

Another product allowing individual control of information is "DigitalMe," which stores the user’s personal data and uses it to fill out forms at Web sites automatically, allowing a final review before they are submitted. The software, available by download in June 2001, will keep track of passwords and names used from site to site.

Hailstorm, DigitalMe, Onion, Crowds and other new technologies turn the argument over online privacy on its head. Instead of debating how much organizations can get away with in respect to an individual’s information, they start with the assumption that the user controls all personal information and decides with whom to share it and under what terms. Any access, changes or use of that data require the explicit consent of the user as the ultimate decision-maker. These new technologies provide an arsenal of arguments against any politician intent on Internet privacy regulation.


Conclusion

 

The federal government and the private sector face many challenges with regard to information privacy. Federal government agencies are increasingly exchanging and merging personal information. On average, a new program for comparing databases is announced every two weeks. But continued failure to comply with existing government privacy standards will lead to more bureaucracy and easier access to information that will tempt many to violate shared personal information. Federal invasion and abuse of personal privacy via computer databases is no less a crime than breaking into one’s house without a warrant or taking property without due process, which are specifically outlawed by the Fourth Amendment. The framers of the Constitution recognized the unique powers of government and sought to curtail them by preventing governments from collecting information about citizens without substantial justification. At the very least, the federal government should adopt the new security technologies prevalent in the private sector to reduce the exposure of personal records to unwanted eyes.

Given the pitfalls of having the government make decisions about control over personal information, it would behoove the public to spend time exploring the many technologies already available to protect personal data and behoove the technology industry to prominently cite its self-regulating activities. Much of the e-business community, including Hewlett-Packard, Intel and eBay, supports the requirement of a prominent notice of a Web site’s privacy policy and a check box to opt out of information collection. President Bush has embraced such "notice and consent" policies. In fact, of the top 100 private sector Web sites, 97 to 98 percent are compliant with their privacy policies without any legislation.

To date, the private sector has shown greater concern than the federal government over being a guardian of people’s privacy. For the government to regulate the private sector while its own house is in disrepair and without sufficient evidence that such action is absolutely necessary would be costly to the economy and an enormous waste of taxpayer money.

As with any other issue, the more that individuals do to control their own lives—in this case personal information—the less need there will be for Big Brother to put a cop on every cybercorner. The private sector will continue to respond to consumer demand for improved privacy protection, and will move even faster if it believes the government will legislate or improve regulatory constraints on how e-commerce is conducted. As the Internet’s influence on society grows exponentially, ensuring one’s privacy will determine whether or not the Internet becomes a vital medium for commerce, business and entertainment or whether the government will step in and stifle freedom and innovation. In the end, whether the issue is privacy, Internet taxes, or antitrust policy, the further offline the government stays, the better off all Americans will be.

In accordance with Title 17 U.S.C. Section 107, any copyrighted work in this message is distributed under fair use without profit or payment for non-profit research and educational purposes only. [Ref. http://www.law.cornell.edu/uscode/17/107.shtml]

Back to Current Edition Citizen Review Archive LINKS Search This Site