Op n' Ed

Switch background color
Feature - About the Net
Law and the Net: Privacy

By Dudette
(October 25, 1998)

"The right to be left alone -- the most comprehensive of rights, and the right most valued by a free people."
     - Justice Louis Brandeis, Olmstead v. U.S. (1928).

Our previous articles in this series have covered Copyright and Freedom of Speech, areas where the law is fairly clearly defined. As we approach the subject of Privacy, however, we find gaping holes and a laissez-faire government approach that expects the industry to regulate itself.

Protections in the US for personal information have been called "reactive, ad-hoc, and confused."("The Fundamental Role of Privacy and Confidence in the Network," Wake Forest Law Review 105 (1995).) Privacy laws have been made only in response to specific perceived problems. As a result, we have a patchwork of narrow protections for specific instances rather than a coherent statement of what information may be private. This makes it difficult to determine exactly what information is protected and how. In addition, many privacy laws have large loopholes, which makes them hard to understand and apply.

What that means to you is -- you have very little privacy unless you take steps to protect yourself.

Why Technology Is Making a Difference... and a Danger

We're all accustomed to the fact that, when we subscribe to a magazine or buy from a catalog, we're going to end up on advertising mailing lists. When we buy a house, or have a new child, or have any other transaction that becomes public record, we're likely to receive "targeted" ad mailings related to the transaction.

In the old days, companies that sold mailing lists sold them on pre-printed mailing labels, or sold a list of names and addresses that were pre-sorted and selected for particular target consumers -- for example, a list of families that had new babies. As computers began to be used for advertising mailing, these were sold in electronic form, where they could also be used to personalize the direct mail. Your letter from Ed McMahon telling you (by name) that you have won the $11 million American Home sweepstakes (if you have and return the winning number) is an example of this.

So why is online different... and more dangerous? Cookies and server logs on a website make it much more simple to collect additional data on you that you may not realize that you're giving out. Any site that uses cookies -- "stamps" placed in the browser -- can identify individual users, although not necessarily by name. If you've given the site any identifying information -- for example, made a purchase, registered for a service, or posted in an online forum -- that information can be correlated with other data such as the pages you view, the site that you came from, and how often you return to create a more detailed record of who you are and what you do.

A cookie is only supposed to be retrievable by the site that placed it. Today, however, many of the ad banners in web pages do not exist within the site where you see them but instead are linked in from an advertising service. The HTTP connection to the advertising service to retrieve the banner allows it also to place and retrieve cookies that can be retrieved from any other webpage you visit that has banners from the same advertising service. This allows the advertising companies to build a cross-site profile of your online activities.

Data Mining

Databases from different sources that contain common information -- such as your name, email address or social security number -- can be linked and "mined" to create an even more complete profile of you. For example, credit card companies and banks may access your purchasing records to find out what kinds of products you are buying. These companies sell mailing lists -- databases -- to other companies for advertising. If the company buying the list has other databases from other sources with some information in common, they can do some mining of their own. The advertiser who contacts you for the first time may know more about you than you could imagine.

What kind of information? There are thousands of online databases that have revealing personal information, available via either private dial-up for subscribers or via the Internet itself. The ACLU discovered one site offering databases including the following:

Aircraft Locator International Bank Accounts
Auto Ownership by Name Personal Bank Accounts
Auto Ownership by Tag # Personal Stock Holdings
Auto Ownership by VIN # Phone Number to Name & Address
Brokerage House Search Personal Address from P.O. Box
Business Analysis Report Employment Information
Business Bank Account Search Pre-Employment Background
Business Credit Report Real Property Search
Cellular Phone # to Address Skip Trace with SSN
Complete Background Check Skip Trace without SSN
Creditors of an Individual Social Security Number Search
Criminal Records Search UCC, Lien, Mortgage Search
Death Master Index Search Unpublished Phone Number
Executive Business Relationships Watercraft Locator
Identify Social Security Number
Individual Credit Report Toll Calls
Individual Driving Record Cellular Toll Calls
A site called FastTrack claims that it can create personal profiles of individuals by cross-referencing databases:
"Background checks can be used by companies or individuals and are commonly used to verify and reveal information about employment applicants, nannies, someone your dating, or if your just "unsure" about a certain person. This report can return complete background information on an individual by providing information from a multitude of sources including credit bureau headers, voter registrations, assessor records, civil court filings, bankruptcy filings, vehicle registrations, property ownership, drivers license files, corporate filings, telephone white pages, mailing lists and many more."

Privacy Laws

Theoretically, we have some limited protections. The US Privacy Act applies to all federal records, and many states have some (quite differing) forms of privacy laws pertaining to information held by the state. This summary of state privacy laws, compiled by the Electronic Privacy Information Center, demonstrates just how spotty these are; in Arkansas, for example, there are no privacy laws pertaining to arrest records, bank records, insurance records or tax records, though laws protecting the privacy of these exist in some other states. Even so, in April 1997, the Social Security Administration was forced to shut down its web site after reports that it may have provided unauthorized access to information about individuals' personal income and retirement benefits on the Internet... information supposedly protected by the Privacy Act.

The Electronic Communication Privacy Act, enacted by Congress in 1986 to address privacy concerns in electronic communications, allows the government to obtain information from an online service provider only under warrant or subpoena. The ECPA also makes it a federal offense to intercept and/or read someone's email or other electronic communications without permission.

But (and it's a big but), system operators are excepted from this prohibition. They are given a special exception in order to do their jobs, but are prohibited from disclosing your communications unless one of the parties to the traffic (sender or receiver) gives permission. If you carefully read your Terms of Service (including WebTV's), you may discover that you have given permission just by saying "I Accept" to a long electronic document when you signed on.

The cable television industry is specifically prohibited from collecting and releasing subscriber-specific information except for very limited purposes, without the subscriber's express consent. To eliminate the situation of the subscriber being faced with "Agree or No Service" (as in the case of the WebTV Terms of Service), the Cable Television Privacy Act requires the cable operator to give the consumer the opportunity to prohibit or limit personal information disclosure. (WebTV's Privacy Policy states that this ability may be provided at sometime in the future.)

The US vs Europe

The Clinton Administration's policy towards privacy has been that the industries involved in the collection and use of private data should regulate themselves. This has put the US at odds with the European Community, which has very strict privacy policies. The US' lack of privacy regulation regarding personal data may lead to conflict with European laws which require strict protections for entities collecting information on EC consumers. What happens when US websites collect information on its visitors from Europe? You can expect to hear more about this in the next few months as Europe moves to a standard currency and many of the EC regulations go into effect..

Is Self-Regulation Enough?

Perhaps the better question would be, does it even work? GeoCities, with a stated Privacy Policy and membership in Trust-E, a self-regulation service that supposedly guarantees privacy of its members, recently signed a consent decree with the FTC to stop revealing identifying information about its users to advertisers unless it stated that it would do so.

At least GeoCities had a Privacy Policy, which allowed the FTC to go after it when it violated it. Many sites that collect information do not. A recent survey by the FTC found that of major 100 sites it reviewed, only 17 promised to limit the use of private information. Even more disturbing, it found that, of 212 children's sites it surveyed, 89% collected personal details but only 7% promised to notify parents about their collection and less than 10% gave the parents any control over the collection and use of the children's data. This survey led to the attachment of the Children's Online Privacy Act being attached to the new NetTax law.

Even when there is a Policy, there is no guarantee that the company will follow it, or that they will maintain adequate safeguards to assure that data is not accidentally or purposefully misused. AOL's most highly-publicized security breach was in the case of Navy Chief Timothy McVeigh (no relation to the Oklahoma City bomber) when information identifying him as gay was released to the Navy, but it also came under fire and was forced to revamp its privacy policy and security after it was revealed to be giving subscribers' phone numbers to telemarketers. In 1976, the IRS fired or disciplined hundreds of employees found to be browsing taxpayer records to collect personal information. There are numerous cases of credit bureau and public employees collecting supposedly-private information from the records that they have access to, and undoubtedly many more that haven't been caught.

Even software bugs and glitches can release private information if it has been collected. As we previously reported in Net4TV Voice, HotMail, Excite and other "portals" collecting personal data have inadvertently revealed it by passing the user ID that retrieves personal pages in the "referring site" URL that webmasters see in their logs. Just this last week, Microsoft was forced to shut down its Microsoft Money update after it was revealed that users could modify a "reservation number" for an upgrade and access other people's personal information.

WebTV's own Terms of Service states:
4. WNI Communications. WNI may choose to forward occasional promotions to or communicate directly with to its subscribers via e-mail regarding certain information and/or special offers regarding the WebTV Network service that WNI deems of value and interest to its users. In these rare instances, WNI sends such information itself and does not provide any subscriber e-mail lists to any third party, even if the promotion or communication involves a partner, so as to ensure the protection of this information.

However, Net4TV has received email from Inergy into our Sony WebTV boxes that we use for development only and that have never been used for any email. An examination of the email headers, which addressed the primary subscriber by full name, shows that the email was sent directly from Inergy's mailserver and not from WebTV. WebTV's Terms of Service also states:
(2)B. Under strictly limited conditions, providing similar information to key corporate partners such as the manufacturers of the WebTV Product for their internal information purposes regarding product activation information.

We have been unable to determine whether the release of our subscriber information was by WebTV directly to Inergy, or whether it was released to Sony under the provision above and Sony sent it to Inergy. In any case, it points out that privacy statements are no guarantee of privacy, and once the data is in the hands of a third-party, even the most well-meaning data collector cannot keep it from being passed on.

Data Aggregation

The release of aggregate data -- surveys and demographics about the usage pattern of groups of people -- is not such an issue. You have no personal exposure if WebTV, the Census Bureau, or any other researcher releases the viewing habits of people in your town or age bracket. This type of information is used to tailor advertising and products to be more effective by targeting them at the demographics most likely to buy, but can't be used to track you down. The results may even be beneficial to you -- no more sitting through diaper ads when you have no kids.

The problem, of course, is that the source from which the aggregated data is compiled is personally identifying. There is little in place to keep the specific data about you from also being sold.

Why Should You Care?

"So what?" wrote one of our Net4TV Voice readers. "We've gotten junk mail for years, and it just goes in the round file. How is this different?"

If it were only a matter of junk mail or "targeted advertising," it might not matter. But once your information is available, it can be used in a variety of ways that you don't want:
  • Identity theft. Ever had a charge that you didn't make appear on a credit card? You've just seen the tip of the iceberg. With your name and Social Security number, crooks can masquerade as you to get credit based on your credit history. It can be a nightmare that can take years to get all of the negative information removed from your credit records. People have even been arrested and jailed for crimes that were committed by someone who had stolen their identity.
  • Stalking, Burglary. Did you get into a fight online? Did you tell someone about your coin collection? If they can get any personal identification on you, they can use online databases to find where you live, your phone number, and even get a map to your house.
  • Lawsuits and Other Disputes. If you get into a dispute or a lawsuit, you may find that the other side has a lot of revealing information that it will try to use against you. When a shopper slipped and fell in a Von's supermarket, Von's used the records from his Von's Club card to try to show that he bought a lot of liquor and, by implication, was probably a drunk.

What Can You Do?

First, educate yourself. The ACLU provides a 12-point "Pocket Card" with tips on how to limit the personal information that is available about you.

In addition to the ACLU, numerous other entities including EPIC, the EFF, and the Privacy Clearinghouse are making efforts to demand legislation to protect consumer privacy. You'll find the links below.

Then, pick up your keyboard and write your Congressman and Senators. Tell them that you support the ACLU's Privacy Principles (no matter how you feel about the ACLU, this one's for you!):

  1. Your personal information should never be collected or given out without your knowledge and permission.
  2. Organizations must let you know why they're collecting your info; and they can't use it for reasons other than the one you gave permission for (unless they get a new permission from you.)
  3. They must ensure the privacy of the personal info they collect or maintain on you, retaining only what is necessary info, and only for as long as it's needed.
  4. You should have the right to examine, copy, and correct your own personal information.
  5. There must be no national ID system -- either in law or in practice.
  6. Unrelated data bases must be kept strictly separate so info can't be cross-referenced.
  7. Personal "biometric" data -- your fingerprints, DNA, retina/iris scans, etc. -- must not be involuntarily captured or used (except for fingerprinting criminals.)
  8. The government must not prohibit or interfere with the development of technologies that preserve anonymity (such as encryption).
  9. These principles should be enforceable by law. And no service, benefit or transaction should be conditioned on your waiving your privacy rights.

Let Us Know How You Feel

Your opinion matters! "How do you feel about privacy?" is our Question of the Week.

Links for More Information

ACLU Privacy

The Electronic Communications Privacy Act

The Cable Television Privacy Act of 1994

Privacy Rights Clearinghouse

Consumer Concerns About Privacy Rights (Presentation to Office of Comptoller of Currency)

The Privacy Site

Microsoft Site Exposes User Information

AOL Revamps Security Policies

GeoCities Goes Public In More Ways Than One

ACLU Letter Regarding the Need for Online Privacy

The Electronic Frontier Foundation

Taking Aim on Privacy Policies

Password Spamming

Arrgh! I've Got Cookies

Inside the Cookie Jar

The Other Articles in "Law and the Net"

Copyright Basics. What's copyrighted? What's not? How do you know what you can use and what will get you a nasty letter -- or more?

Dangerous Ground. Where you're likely to get into copyright trouble is when you try to push the edge. This article explains how to stay away from the dangerous ground.

Freedom of Speech. Can what you say and see online be censored? Yes and no -- this article explains your rights, the non-protected forms of speech, and the limitations that service providers can impose.

To Top of Page

Welcome to Net4TV Voice
Meet your fellow users who create
Net4TV Voice in the Masthead.

View our Privacy Policy.

Net4TV, Net4TV Voice, Chat4TV, and Surfari
are trademarks of Net4TV Corporation
© 1998 - 2001, Net4TV Corporation. All Rights Reserved.