A 20-year-old woman stalked through the Internet and killed. Thousands of e-commerce customers watching as their credit card numbers are sold online for $1 apiece. Internet chat rooms where identities are bought, sold and traded like options on the Chicago Board of Trade. These are the horror stories dredged up by privacy advocates who say the Net’s threat to personal privacy can’t be dismissed as mere paranoia. And, they say, we’ve only seen the tip of the iceberg.
INTERNET PRIVACY is a murky, complicated issue full of conflicting interests, misinformation, innuendo and technology snafus. On the face of it, e-commerce companies and privacy advocates are locked in stalemate. Web sites want to know all they can about you; consumers generally want to share as little as possible.
Complicating matters further are criminals who break into Web sites, steal the information and use it for personal gain.
Advertising firms, who stand to gain as much as any from personal data collection, have absorbed the brunt of complaints from privacy critics. But Rick Jackson, once a marketer and now CEO of privacy technology firm Privada Inc., thinks ad firms like DoubleClick are serving as an unwitting smokescreen for the real privacy problems.
“There are a lot more people tracking you than you think,” Jackson said. “The data world is a very powerful and lucrative marketplace with a lot of players involved.” For evidence, he points to a Washington Post story that revealed that 11 pharmaceutical companies - including Pfizer Inc., SmithKline Beecham PLC, Glaxo Wellcome PLC - had formed an alliance and were tracking every click consumers made across their sites, then comparing notes. Consumers were never told.
“Everybody points to advertising. That’s just the tip of the iceberg,” Jackson said. “We as consumers don’t have any knowledge of what really goes on out there.”
HEART OF THE PROBLEM
At its heart, the Internet privacy problem is a paradox.
The Net was born as an open research tool, and thus was never designed to allow privacy or security. But at the same time, the Net seems to offer perfect anonymity, and most users behave as if they cannot be seen. Who hasn’t said or done something online which we wouldn’t do in the “real world?”
Warnings about revealing personal information online may sound obvious, but they often go unheeded - warnings such as “Don’t post notes in newsgroups or chatrooms you wouldn’t want your future boss - or spouse - to read.” Still, spend two minutes and you’ll find notes from Internet users in health support groups who are shocked to discover their supposedly private discussions about prostate cancer are now full-text searchable from a Web site.
In fact, according to the Pew Internet & American Life Project, 36 percent of Net users have sought online support for health, family and mental health issues, and 24 percent of those have signed in with their real name and e-mail address. Every question they’ve asked and every statement they’ve made is now stored on a hard drive somewhere.
Even the experts don’t have control. Jackson was a victim of identity theft earlier this year. He recouped all his financial losses, but said it was “a big emotional issue for me. Somebody’s out there ruining my reputation.” Super cyber-sleuth Richard Smith, now chief technical officer at the non-profit Privacy Foundation, had someone run up credit card bills under his name recently, too.
“They used my FAX number as the home phone number in the application and I started getting all these calls, ‘When are you going to pay your bills?’ ” Smith said.
CRIMINAL PRIVACY RAIDS
Most of the horror stories from the online privacy realm stem from criminals. The most dramatic involves a 20-year-old Nashua, N.H. woman named Amy Boyer who was stalked with help from the Internet and then murdered Oct. 15, 1999. The killer, who committed suicide immediately, had purchased Boyer’s social security number for $45 from an online information firm, according a Web site authored by Boyer’s step-father detailing the murder. Congressional lawmakers are now considering legislation which would make sale of social security numbers illegal, which has been dubbed “Amy Boyer law.”
But there are plenty of other scary tales from the world of Internet privacy. Earlier this year, a hacker posted tens of thousands of credit card numbers stolen from CD Universe on a Web site; he offered to share more for $1 apiece. Later, an MSNBC investigation revealed dozens of Internet Relay Chat rooms where stolen personal profiles - names, addresses, phone numbers, and credit card numbers - are bought, sold and traded out in the open.
HOW DID YOU FIND ME?
But privacy concerns don’t always arise from criminal activity. Privacy advocate and well-known spam fighter Ian Oxman was surprised earlier this year how easily he was able to track down the former owner of a used car he had just purchased. Oxman discovered some concealed damage to the car and wanted to learn if it had been in an accident. Armed with the car’s Vehicle Identification Number, he was able to look up the original title owner through an online database on the state of Illinois’ Web site.
“I called her up and said ‘You don’t know who I am but I’m driving the car you sold.’ She talked to me, but at the end said, ‘How did you find me’?” Oxman recalls.
Increasingly, Internet users find themselves asking someone “How did you find me?” The experience can change the privacy topic from a government policy issue into a highly personal problem.
“A lot of people think about privacy but don’t really care until something happens to them personally,” said Beth Givens, director of the Privacy Rights Clearinghouse. “It’s like freedom. You don’t appreciate it until it’s gone. If you are a victim of identity theft, you experience a change of world view, you realize how little control you have over your world.”
While most of the drama of Net privacy comes from crime, almost all the public debate has centered around Web companies collecting data for marketing purposes. Stories of companies abusing this information are actually hard to come by; most of the complaints center on what could happen if the Web company were careless or ill-intentioned.
Still, even the hint that data is being collected surreptitiously can create a firestorm of bad publicity for a technology company. Both heavyweights Microsoft and Intel have been forced to turn off features which would have allowed either company to track its customers across the Internet. RealNetworks, maker of popular video software, was twice accused of surreptitiously telling its programs to “phone home” and tattle on users surfing habits to the firm. Mattel Interactive had to admit it embedded phone home software called “Broadcast” in its Reader Rabbit software. Surf Monkey, which prevents children from accessing inappropriate sites, also transmits data like user IP addresses back to its maker.
DoubleClick Inc., an advertising network which tracks users anonymously as they move around the Internet, is really the lightning rod for such criticism. It was sued earlier this year after it revealed plans to match a real-world mass mailing marketing list with its anonymous database of Internet users, which would have revealed the Web users’ identities. It has since backed off the plans.
PRIVACY GUARANTEES FADING
This battle between consumers and e-commerce sites wages on, and at least according to one independent analyst, consumers are losing the tug of war. Economist Simon Smelt, who runs survey firm SimplyQuick.com, says most privacy policies on many Web sites are “slipping,” — meaning offering consumers less protection. In a June survey, most of the top 90 sites surveyed had polices indicating personal information would not be shipped to third parties. A follow-up survey in November revealed that most site policies now indicate firms retain the right to sell the information to outside parties, leaving the burden on consumers to “opt out.” In fact, only 30 percent of the 90 sites surveyed guarantee they won’t sell information - and More.com was one of those. Smelt suggested that increasing financial pressure are leading e-commerce sites to see personal data “as a resource itself.”
OVERHYPING THE ISSUE?
While Web companies argue they need personal information to offer individualized service, privacy advocates point to surveys which show the perceived privacy invasion actually hurts business.
The National Fraud Information Center recently completed a study in which one quarter of all respondents said they hadn’t purchased anything on-line in the past year because they were afraid their personal information would be misused in some way. Another study by the group shows Web users are more concerned about privacy than health care, crime, and even taxes.
But not everyone agrees the digital, online world is so fraught with peril. In fact, some argue that Internet privacy discussions are rarely placed in proper context - and that personal information is no more at risk online than offline.
“There’s far less information available about people on the Net than there is about anybody who uses a credit card,” said Russ Cooper, security expert. He think privacy advocates sometimes create unnecessary fear about the Internet. “The guy with the database has the same access to your information whether the data is sent through Amazon online or Barnes & Noble in the physical world.
“What are we afraid of when we do the same kind of stuff in the real world? We give away an awful lot of privacy in the real world on a regular basis, why is this hyped up when we talk about the Net?”
THE DIGITALLY RECORDED LIFE
But Givens, from the Privacy Rights Clearinghouse, disagrees, saying the problem from cyber-criminals is hardly 21st-century hype, since stealing digital information is so much easier than tapping phone calls or grabbing letters from a mail box. It’s also much more thorough.
“If you have the technical know-how you’re able to capture a lot more of an individual’s personal communication than you can with a wire tap or through stealing [regular] mail,” Givens said. That’s why the FBI’s Carnivore system, which allows agents to trap and read e-mails intended for a suspect, raises so much ire among privacy advocates.
Meanwhile, the technological Pandora’s box opened by Web marketing firms also creates a series of problems unique to the digital age, Givens says.
“How would you feel if you were in the mall and someone followed you around with a camera, noting every item you looked at,” Givens said. “I’m amazed that there’s this set of values out there in these companies that thinks it’s Okay to capture data about one’s meanderings on the Web and attempt to make money off them without consent.”
There is little debate that receiving uninvited communications is one of the consequences of connecting all the world’s people online. Another consequence: having your name placed in an ever-increasing number of databases that can be accessed by an ever increasing number of companies - and hackers.
But Jackson hopes companies such as Privada, which he now heads, will find a way to strike a balance between targeted sales and invasion of privacy. Privada acts as a third party which allows Web surfers to receive accurately targeted advertising pitches, while preserving the anonymity of the consumer.
But he holds no illusions that the effort to preserve privacy is easy, or sure to succeed.
“We’ve completely lost control over our information. We’ve got to quickly do something different,” he said. “Do I have to worry about the fact that my 8 year old is growing up in this digital world and his life is being tracked more than any generation? If he goes for a job will they find something that happened in his teen-age years, or in his health background, and then take that job away from him?” He has about 10 years to find out. The rest of us might not have quite so long.