The Hundredth Window: Protecting Your Privacy and Security In the Age of the Internet - Couverture souple

À propos de l?auteur

Charles Jennings is the co-founder of TRUSTe and of the Internet firms Preview Systems, GeoTrust, and Supertracks. He lives in Portland, Oregon.

Extrait. © Reproduit sur autorisation. Tous droits réservés.

Chapter One: Invasion of the Data Snatchers
I fear the loss of my obscurity. Genuineness grows best in the dark.
-- Aldous Huxley
A generation or two ago, the data of daily life, to the extent that it was recorded at all, was "entered" on file cards and bond paper, stored in snap-ring binders and file cabinets, and kept under lock and key. Copying information required the use of carbon paper -- and considerable human effort. A real-time commercial transaction meant pulling cash from your wallet and collecting the change. The only identifying number the typical American had was a social security number -- a nine-digit code that was generally kept in strictest confidence, in accordance with the strong privacy guarantees of the initial social security program. Even as late as the 1960s, before computers were networked, the only individual transactions recorded on a daily basis were ones that involved financial credit, taxes, or governmental benefits.
Today, social security numbers are used everywhere, from schools to stock brokerages, to track you through life. Credit cards leave a wide trail of purchase records. Copying information is as easy as point and click, cut and paste. The data of daily life -- your daily life -- is collected at supermarkets, at the workplace, over phone networks, at the drugstore, and at every website you visit. And these are just the hot spots.
List marketers, credit profilers, information brokers, and other legal vendors make a business out of collecting and trading electronic data profiles of you. They participate actively in what amounts to a thriving online flea market for PII. It is your data -- personal facts about you -- that are being bought and sold. That's the best-case scenario. The worst case is that the information in your personal data profiles is not really about you, but accidentally about someone else. If that person has a criminal past, a poor credit history or a habit of posting hate messages on the Web, you are in for trouble.
There is so much electronic information collection going on in our lives that we have become quite accustomed -- even numb -- to it all. But recall your grandparents' lives for a moment, lives lived without direct mail, e-mail, or credit cards; lives lived in an era when personal behavior was at most a matter of local gossip, not a widely accessible public record. And then join us as we imagine a typical day in your thoroughly modern life.
7:00 a.m. Wake up, turn up heat, take shower, dry hair, make and drink coffee, use up remaining milk in refrigerator.
You can still wake up at home with some expectation of privacy. You know that your shower, at least, is private. Chances are no one is monitoring the simple tasks you perform in order to get ready for the day.
7:47 a.m. Log onto the Internet to check news and stock portfolio; check e-mail on personal account.
Now you have plunged into the data zone, where every move you make will be captured in a computerized system. Your identity travels the Net with you, leaving a solid, easily traceable trail. Every click of your mouse is being recorded somewhere far, far from your hard drive, and every transaction you complete will be stored and analyzed.
8:31 a.m. Turn down heat, open/close garage door, depart house.
The local utility may be specifically monitoring your heat consumption in order to run its systems more efficiently and to anticipate high-load periods. If you use an electronic garage door system, anyone with appropriate equipment can monitor its use -- from a distance -- to determine when you leave home, though this requires hard-core electronic surveillance. As you drive off from your house, your car's trip computer records the start of today's journey.
9:10 a.m. Drive into the city, use E-ZPass automatic toll payment to make commute faster.
In New York as well as many other major metropolitan areas, toll collection has become automated through systems such as E-ZPass. However, as this system speeds you through the toll booth, your car is being identified and information about your whereabouts is being collected and stored. New York City police detectives have successfully subpoenaed this information and used it as evidence in court. (Cars are moving billboards containing a critical piece of PII -- your license plate number.)
9:12 a.m. Answer cell phone in car regarding a hot new business deal.
At first the cell phone cuts out, of course, as you cross the bridge. But then you reconnect, perhaps aware that cell phone transmissions and receptions are recorded for billing purposes, but probably not caring in the least. But then you realize that cell phone calls can be intercepted. While that possibility is somewhat remote, you shudder at the thought that a business reporter might be lurking in the sea of traffic alongside you, ready to eavesdrop on your call. The thought passes, and you hit the speed dial to return the call.
9:30 a.m. Have breakfast meeting with prospective customer; pick up the bill with a credit card.
The credit card companies -- the banks as well as the payment processors -- are some of the biggest collectors of personal data about you. Plastic is often handier than cash, and sometimes it is essential, but it is never anonymous. Credit card data warehouse operators are expert at mining information about what you buy to better understand your behavior as a consumer. This can result in directing marketing efforts that target your likes and dislikes -- but this information is not in any way regulated, and nothing precludes it from being sold to whoever wants to buy it. The biggest privacy leak in most people's lives can be found in their wallets, where they keep their credit cards.
10:46 a.m. Go into office building, use electronic badge to enter parking area, building, restroom, and work area.
Electronic badges, like E-ZPass and cell phones, can locate you in a particular place at a particular time. So can the video cameras in the parking lot, elevator, and building lobby, all of which are now online in a closed-circuit network, with feeds to both a security control room and the executive suites. Ostensibly, this data is owned and held in confidence by your employer for security purposes only. But this data can be used for other purposes as well, such as in job reviews and employee disputes. Incidentally, alarm systems that require you to punch in a specific personal identification number, or PIN, to gain entrance also store a record of your coming and going.
11:10 a.m. Check/send e-mail from work account; log onto Internet to research the competition and gain access to analyst reports.
Not only are Internet access providers collecting information about your every online click, your employer may also be doing the same -- and legally it is within his or her rights to do so if you are using your system at work. So beware! (And please stay off those porno sites when you're at work -- it could be embarrassing when the boys in the server room check your log sheets.) Also, e-mail records have been used extensively in legal actions -- and have even bitten the grand titan of software, Bill Gates -- so understand that what you dash off in an electronic note lingers on, perhaps forever.
1:38 p.m. Go to Amazon.com to buy a book, and recommend it to a client's management team.
Amazon.com has established itself as the premier online vendor of books, in part by offering personalized service. This is accomplished by collecting information about your likes and dislikes regarding particular titles and comparing these with the likes and dislikes of the countless others who frequent their site. (The process is known as "collaborative filtering" and involves a set of cutting-edge technologies that are being used increasingly in e-commerce.) The Amazon folks do post a privacy policy on their site and try for the most part to behave like a responsible, privacy-sensitive merchant, but nonetheless, the company's databases contain a great deal of personal information about the subject matter that most interests you and stimulates you. This information in some ways is even more sensitive than the more generic payment data that a credit card company records -- and in at least one controversial program, Amazon did use this information to disclose publicly what books were most popular among employees of certain well-known companies.
2:00 p.m. Participate in business alliance conference call using a teleconference service bridge.
Many of the phone companies that provide this type of teleconferencing service require you to provide your identity to access the call -- for security reasons. It is worth noting that this information is logged into these companies' database systems and can be accessed if required by the purchaser of the service or by law enforcement officials.
4:10 p.m. Use your always-on Internet access at work to visit an online wedding registry, in order to make it easy for friends and family to buy gifts online for the big wedding.
Getting married soon? No problem -- there are many websites ready to come to your rescue and help you prepare all the details. Many such sites require that you enter virtually your whole life story before you can be listed in their nuptial registry. Moreover, when people purchase gifts for you via the registry, the site operators get a very accurate profile of your friends and family as well. Whenever entering detailed personal information via the Internet, regardless of how seemingly innocuous the purpose, be sure to read the site's privacy policy to understand how the information you are providing is to be used. The way to do this is to search for a link (usually on the home page) that says "privacy policy." Read this policy! If it claims that the site operators can, essentially, do whatever they please with your data, you might be well advised to look for an alternative. (Here's the kind of language in a privacy policy to avoid: "In an effort to bring you more exciting offers from our partners, we reserve the right, from time to time, to share information about you with these partners....")
6:15 p.m. Log onto favorite travel site to purchase tickets and select seat for upcoming business trip.
The proliferation of new travel services on the Internet is a direct result of the low cost of entry into this field and the relatively low cost to operate and maintain such a site, compared to a bricks-and-mortar travel agency. In this highly competitive arena, the ability of travel retailers to gather and analyze information about your travel patterns is an important competitive asset. This information is often resold to carriers within the travel industry but can also be used to gauge your relative wealth and amount of leisure time. This kind of information is gold to the direct marketing industry -- and online travel agencies can and do trade this gold in order to expand their margins. Traveler, beware.
7:30 p.m. Review, edit, and put final touches on upcoming speech; e-mail presentation to conference organizers for reproduction.
Companies that run conferences generally keep copies of your presentation for their files and distribute them to conference attendees as well. Some conferences actually publish presentations on their website. This may not be a problem, but it is helpful to remember that your ultimate audience could include competitors or investors.
8:17 p.m. Exit building, using badge to exit prepaid underground parking.
It's the end of another high-voltage day. Somewhere, someone knows what time you left the building. In fact, he or she may even have noticed how tired you looked as you passed the networked security camera.
8:35 p.m. Stop in at grocery store to pick up milk and Häagen-Dazs ice cream; use discount card and make a quick cash purchase.
Many people don't realize that a supermarket discount card is more than just a convenient substitute for coupons. The computerized scanning systems linked to your personal discount card capture information that your grocery can use to maintain a profile of you and your family -- one that includes all your eating and drinking habits. This information is valuable to others as well, such as insurers, employers, and direct marketers. Do you really want total strangers to know about that fondness of yours for pinot noir?
9:10 p.m. Collapse in easy chair; order dinner from Waiters online.
You should not be surprised when your friendly gourmet delivery service addresses you by name when they pick up the phone, anticipates your usual order, and offers to bill it to your Visa card (which they have on file). The incredible convenience of instant, customized service comes to you courtesy of the caller ID feature in the phone system, which in turn is hooked up directly to Waiters-on-Wheels's customer file and credit card billing system. They know your dinner routine better than you do. Tonight, when the waiter arrives, he asks, "Would you like us to call your cell phone at the usual time while you're on your way home, just to make it a little easier?" Over the seared ahi and saffron rice, prepared just the way you like it, you begin to wonder if perhaps these waiters know you a bit too well.
10:43 p.m. Log onto an Internet health site to research father's illness; request information.
Although you know the information you are requesting is for your father, the site owners don't. The pharmaceutical company that sponsors the site receives your information and sends the materials you requested to your postal address. What you don't realize is that you are now entered in their records as a person who possibly has a troublesome illness and, therefore, may be a potential customer. If the pharmaceutical company also resells its database to insurance companies, they and other data brokers may miss the nuance inherent in the phrase "may have this illness." They might not even have any idea of how the information in the database was compiled. Two months later, though you are a healthy thirty-seven-year-old woman, you receive a free sample of an herbal supplement that is reputed to help treat prostate cancer.
11:34 p.m. Call your phone message service to arrange a 7:00 a.m. wake-up call; turn in for the night.
Your first data log of the day ahead has already been recorded.

The modern information landscape has indeed changed greatly from that of our grandparents. Try as we might, we can no longer avoid the scrutiny of the data collectors, even if we avoid using that most obvious of data-entry tools, the computer keyboard. Computers and sensors are now embedded in the most mundane environments, and data is frequently collected about us without our volunteering it. To the many skills required to successfully make your way on life's journey, add one more: personal privacy protection.
Every day, millions of everyday people -- the amateurs, let's call them -- willingly provide personally identifiable information about themselves to the data collection pros. This information may include a name, a phone number, an address (home, business, or e-mail), and any number of other unique identifiers (social security number, credit card number, driver's license number, even the image of a face, retina, or set of fingerprints) -- but it must have at least one such identifying element to be useful. To be true PII, the information must always contain a hook -- a way to snag and reel in the unique identity of an individual human being.
PII hooks can be found in all sorts of information files. Imagine a massive computer directory, with thousands of electronic file folders, each containing a specific PII profile. The information in the files could be about anything from college grades to stock trades -- but every scrap of data in the files would come with a PII string attached. In this meta-directory, you might find, in a random perusal, such folders as Driving Records, Reading Habits; Gambling Histories; Records of Disciplined Soldiers, Attitudes about Abortion; Telephone Records; Airline Travel Preferences, Genetic Profiles, Conference Attendees, Asthma Sufferers, Purchasers of Palm Pilots, Mortgage Holders, Subscribers to Playboy Magazine, and on and on. When we speak of PII profiles, these are the kinds of categories that such profiles contain (though not all categories will be found in each profile).
While there is no single PII profile system, the advent of electronic computer networks is currently creating something quite similar: linked access among the many different computer directories that currently store PII. More and more PII-tagged information is being entered, stored, and traded via a common electronic grid. And the pros -- along with another group we'll meet later, the cons -- are getting better and better at using this grid for all kinds of purposes.
The real news about PII -- about the collection and use of information about you -- is that its use is compounding. Like the interest on a long-term debt, personal information that has made its way into the hands of the data collection pros feeds upon itself and grows exponentially. The more that is known about you -- and the more pros who know about you -- the easier it is for the next pro to learn still more. Connect the dots between the PII folders labeled "Home Phone Numbers," "Buyers of Outdoor Clothing," "Websites Visited," and "Truck Owners," and a gun merchant is able to build a new file called "Potential Buyers." Soon he is on the phone, calling people whom he suspects support the Second Amendment, drive pick-ups, and wear "camo" windbreakers. And this is a relatively benign example. Connect the dots between "Women Drivers Under Twenty-One" -- a database that contains home addresses -- with "Lingerie Buyers" and "Online Sex Chat Visitors," and you get quite a different picture. It is this ability to connect, with electronic ease, dozens to literally thousands of isolated bits and pieces of information about an individual human being that is dramatically changing the rules and raising the stakes of privacy protection in modern society.
Exchanges of PII take place via a variety of electronic and nonelectronic means, in virtually every segment of modern life. Amazingly, they often happen almost subconsciously. We want money from a cash machine; we want service from a doctor; we want product warranty protection for a new purchase; we want to visit a news site on the Web; we want a discount on groceries -- so we provide information about ourselves. We barely stop to think about where this information about us is going, who will get it, where or how long it will be stored, what it will be used for, or generally what the consequences may be.
Yet make no mistake: there are consequences -- potentially serious ones. Such as when personal, private, confidential financial information obtained from information brokers is used by phone solicitors to convince elderly citizens they need phony annuities. When the mother of a stillborn child receives birthday greetings from direct marketers for several years on the anniversary of her child's death. When the age and e-mail address of a ten-year-old is obtained online by a convicted sex offender. When detailed home phone records of a CEO are purchased over the Internet by a competitor. Or when a youthful indiscretion, a past disease, a reckless e-mail, or even a data-entry error by some unseen, unknown person enters the public digital record forever, and brands someone, accurately or inaccurately, for life.
Perhaps you are aware of the risks of modern society's ravenous hunger for facts about you. After all, you have chosen to read a book about privacy, so your awareness of privacy issues is likely well above average. But even so, do you, practically speaking, know how to manage your own personal privacy in the data exchanges of everyday life? Do you know how to take advantage of the growing online marketplace for goods, services, information, and entertainment, without being compromised by the equally robust online market for personal data?
These are the horns of the modern privacy dilemma. Privacy matters -- but how much? Personal data is sensitive, but where are the lines to be drawn between privacy and accountability? Information is power, and information about specific people is very powerful, but what precisely should be the limits of its use in business and trade? No one knows, and few agree.
There is little true consensus in the business and technology world about how matters of personal privacy should be handled, and there are no simple answers to the tough privacy questions being raised by new information technology. The sooner a common consensus is reached, however, the better. Without one, privacy issues will become a major obstacle to continued growth in the electronic marketplace.
The payoffs of privacy policy consensus, and the risks of not achieving one, are compounding almost daily. Indeed, the whole personal privacy landscape has as least temporarily turned into a kind of shambles -- an Alice in Wonderland game that nearly everyone plays, but according to a hodgepodge, random set of rules. Perceptive observers -- a group that includes the CEOs of Microsoft, IBM, and McGraw-Hill and the chairman of the Federal Trade Commission -- understand that this state cannot continue. It's far too unstable.
Consider the following data points:

• Polls are showing privacy concerns at an all-time high. (See box, pages 37-38.)
  
• The United States and Europe are in the midst of a serious trade disagreement over how personal data is to be collected and managed.
  
• Privacy policies of individual companies vary tremendously, as does compliance with these policies (largely self-generated and self-enforced).
  
• Privacy preferences vary tremendously among individuals as well (the Internet spectrum is from the cleverly anonymous to people who proudly webcast their entire lives -- including their most personal moments -- on their sites).
  
• Courts around the world are awarding significant damages to consumers and Internet users over claims of privacy violation. (See the article on US Bancorp in Appendix B.)
  
• Over one hundred new privacy laws were introduced in the 105th (1997-98) U.S. Congress, nearly four times the number introduced in the 1993-94 session.
  
• New technologies of data collection, Internet monitoring, online surveillance, data mining, automatic mailing, personal searching, and identity spoofing are rolling out into the electronic marketplace every month.
  
• Personalized, customized products and services over the Internet -- most of which require users to provide more personal information than they ever have given to companies before -- are creating one of the hottest growth sectors in the entire economy.
  
• Networked databases, the applications that store and manage personal information, are becoming more powerful, more intelligent, and more interoperable. But much more significant is the fact that PII is moving from proprietary databases out into the clear on the Internet -- a trend that may have profound privacy implications.
  
• The rising use and increased durability of private company e-mail is creating both serious human resource concerns and significant legal liabilities for corporations.
  
• "Legitimate" information brokering -- the buying and selling of personal information -- is now a billion-dollar industry in the United States.
  
• Illegitimate identity theft aided by online technologies has been cited by the FBI as one of the fastest-growing white-collar crimes in America.
  
• Parents, students, law enforcement officials, AIDS and cancer patients, gynecologists, politicians, film stars, multimillionaires, and anyone ever divorced -- to name just a few special categories of note -- are becoming increasingly sensitive about specific privacy risks they now face because of electronic data sharing.
  
• And not surprisingly, public polling also shows that average citizens are becoming extremely confused and anxious because of all of the above.
  

If you are dealing with privacy issues today in business, you and your company should understand that privacy can no longer be ignored. Governments are getting restless, consumers are strongly pro-privacy in opinion polls (if not yet consistently in the voting booth or the marketplace), and many of your competitors will likely be using privacy positioning soon as a competitive advantage. Internal privacy policies governing company-to-employee relations will also become increasingly important for employee recruiting and retention and for legal risk management. Over 80 percent of Net users in a recent survey said they would like to see companies require privacy training for all employees. Bottom line: privacy management is a new core competency you must have. If your company does not yet have a privacy policy "owner" who is knowledgeable about privacy issues and empowered to manage them, get one soon.
For government officials, our advice is: keep one foot on the gas and the other on the brake. Continue to respond to rising public concern about privacy by focusing on the most obvious problem areas -- such as children's privacy and identity theft. Rattle the saber of regulation, but use it sparingly. Avoid slowing down Internet commerce, which is much more dependent than you might realize on free-flowing, chaotic marketplace experimentation. Before thinking too seriously about managing privacy in the marketplace, manage it first in all government operations (government databases often being the easiest, cheapest source of personal information). But understand that personal privacy will continue to be a major social and political issue in the decades ahead. And stay up to date -- privacy is a dynamic, evolving field.
If you are collecting PII as an Internet outlaw, hacker, con man, or online peeping tom, look out. As the privacy heat rises, you'll be the first to pay the price. Fun-and-games time is over. Expect a massive new commitment to fighting info-terrorism and cyber-crime in the very near future. Even minor data thieves may get swept up in the net.
For everyone else -- consumers, citizens, Net surfers, parents, etc. -- the first thing to realize is that, for all practical purposes, personal privacy is no longer a right, but a skill. Your government -- even if you live in privacy-sensitive Europe -- will fall far short of offering full protection. Technology is moving too fast. When you interact with an electronic network, you are venturing into strange new territory where facts about you stick like flies to flypaper. Read the signposts -- especially company privacy policies as posted on the Internet. If you find your personal privacy being attacked by some online menace, look for help.
Learn as much as you can about how data is collected and used in this new online environment: from now on it's going to be an increasing part of your life. Never give out personal information frivolously -- unless you like having companies and people know as much as possible about you. And especially, "vote" for privacy whenever possible by supporting trustworthy merchants with strong, clear privacy policies and practices.
There. That's the easy part.

Tips and Tricks for Chapter 1
Lie. When in doubt about the trustworthiness or integrity of a website operator, if user registration is required, lie. A survey by Boston Consulting Group for TRUSTe revealed that fibbing tended to be a very popular response from users when they were asked to give PII to a website. Although we don't endorse wholesale lying as a practice, we do believe it is a good strategy when you are uncertain of a site's policies. And don't feel too bad if you do fudge your identity a bit -- you will not be alone: 30-40 percent of online registration info given over the Web is bogus!
Tell the truth. When you do find a company or website you trust, be as open and honest as you can, especially when such information can help provide you with better, more personalized service. MyExcite or MyYahoo, for example, have a great deal of information about the authors' highly personalized needs for information about privacy and technology -- and even know our zip codes (in order to personalize our weather reports). Failing to give correct information to Excite or Yahoo! -- known to us to be trustworthy information partners -- would be foolish.
Create an alias. The same Boston Consulting Group survey cited above also revealed that many Internet users had set up a system of false identities for e-mail purposes. The idea was to give out one particular e-mail-address alias whenever registering at a website (especially when registering at a site likely to do considerable direct marketing), while keeping another main identity for friends, family, and business associates. As this e-mail box fills up with promotional inquiries, you can track how companies use and resell the addresses they collect.
Seed the market. "Seeding" is a monitoring practice used by privacy assurance organizations such as TRUSTe. The idea is to seed the marketplace with a specific set of unique identities that can be uniquely traced to a single information transaction. If Bill Gates wanted to see if America Online really protected his personal privacy, what he might do is register only at AOL as Willie X. Gates, while putting in correct data everywhere else. In this way, whenever he encountered this particular name -- in spam e-mail, in junk mail, or in a telemarketer's call -- he would know precisely where it came from. This can be a good way to discover the sources of your own PII leaks, online or otherwise.
Firewalls: they aren't just for geeks anymore. In the corporate computing world, firewalls are security systems intended to protect an internal company network against unauthorized entry from the outside. Now firewalls are available for your home computer, too.
Some security suites, including WRQ's AtGuard 3.1 and Aladdin Knowledge Systems' eSafe Protect Desktop 2.1, come equipped with firewall capabilities that let you control access to your PC from other computers. To activate these firewalls, these programs will ask you to create rules describing who can have access to your computer, when they can use it, and what types of activities are permitted.
Erase your steps. Most modern Web browsers store a list of the Web pages you've recently visited. This information is stored in the History files and cache. Maybe you want to keep this info away from snoops.
Here's how to erase these entries:
Netscape Communicator. Go to the Edit menu and click Preferences. Then click again on Preferences, and an expanded menu will appear. Choose Cache. Select Clear Disk Cache, and all URLs in the cache will be erased. To clear the History window, choose Preferences from the Edit menu, click the Navigator category, and then click Clear History.
Microsoft Internet Explorer. To empty the History folder, go to the Tools menu. Choose Internet Options, and then click on Clear History. To clear the cache, open Windows Explorer and access the directory C:files and mark all files for deletion.