Feature - About the Net
Law and the Net: Privacy|
(October 25, 1998)
"The right to be left alone -- the most comprehensive of rights, and the right most valued by a free people."
Our previous articles in this series have covered Copyright and Freedom of Speech, areas where the law is fairly clearly defined. As we approach the subject of Privacy, however, we find gaping holes and a laissez-faire government approach that expects the industry to regulate itself.
Protections in the US for personal information have been called "reactive, ad-hoc, and confused."("The Fundamental Role of Privacy and Confidence in the Network," Wake Forest Law Review 105 (1995).) Privacy laws have been made only in response to specific perceived problems.
As a result, we have a patchwork of narrow protections for specific instances rather than a coherent statement of what information may be private. This makes it difficult to determine exactly what information is protected and how. In addition, many privacy laws have large loopholes, which makes them hard to understand and apply.
What that means to you is -- you have very little privacy unless you take steps to protect yourself.
- Justice Louis Brandeis, Olmstead v. U.S. (1928).
Why Technology Is Making a Difference... and a Danger
We're all accustomed to the fact that, when we subscribe to a magazine or buy from a catalog, we're going to end up on advertising mailing lists. When we buy a house, or have a new child, or have any other transaction that becomes public record, we're likely to receive "targeted" ad mailings related to the transaction.
In the old days, companies that sold mailing lists sold them on pre-printed mailing labels, or sold a list of names and addresses that were pre-sorted and selected for particular target consumers -- for example, a list of families that had new babies. As computers began to be used for advertising mailing, these were sold in electronic form, where they could also be used to personalize the direct mail. Your letter from Ed McMahon telling you (by name) that you have won the $11 million American Home sweepstakes (if you have and return the winning number) is an example of this.
A cookie is only supposed to be retrievable by the site that placed it. Today, however, many of the ad banners in web pages do not exist within the site where you see them but instead are linked in from an advertising service. The HTTP connection to the advertising service to retrieve the banner allows it also to place and retrieve cookies that can be retrieved from any other webpage you visit that has banners from the same advertising service. This allows the advertising companies to build a cross-site profile of your online activities.
Databases from different sources that contain common information -- such as your name, email address or social security number -- can be linked and "mined" to create an even more complete profile of you. For example, credit card companies and banks may access your purchasing records to find out what kinds of products you are buying. These companies sell mailing lists -- databases -- to other companies for advertising. If the company buying the list has other databases from other sources with some information in common, they can do some mining of their own. The advertiser who contacts you for the first time may know more about you than you could imagine.
What kind of information? There are thousands of online databases that have revealing personal information, available via either private dial-up for subscribers or via the Internet itself. The ACLU discovered one site offering databases including the following:
A site called FastTrack claims that it can create personal profiles of individuals by cross-referencing databases:
||International Bank Accounts
|Auto Ownership by Name
||Personal Bank Accounts
|Auto Ownership by Tag #
||Personal Stock Holdings
|Auto Ownership by VIN #
||Phone Number to Name & Address
|Brokerage House Search
||Personal Address from P.O. Box
|Business Analysis Report
|Business Bank Account Search
|Business Credit Report
||Real Property Search
|Cellular Phone # to Address
||Skip Trace with SSN
|Complete Background Check
||Skip Trace without SSN
|Creditors of an Individual
||Social Security Number Search
|Criminal Records Search
||UCC, Lien, Mortgage Search
|Death Master Index Search
||Unpublished Phone Number
|Executive Business Relationships
|Identify Social Security Number
|Individual Credit Report
|Individual Driving Record
||Cellular Toll Calls
"Background checks can be used by companies or individuals and are commonly used to verify and reveal information about employment applicants, nannies, someone your dating, or if your just "unsure" about a certain person. This report can return complete background information on an individual by providing information from a multitude of sources including credit bureau headers, voter registrations, assessor records, civil court filings, bankruptcy filings, vehicle registrations, property ownership, drivers license files, corporate filings, telephone white pages, mailing lists and many more."
Theoretically, we have some limited protections. The US Privacy Act applies to all federal records, and many states have some (quite differing) forms of privacy laws pertaining to information held by the state. This summary of state privacy laws, compiled by the Electronic Privacy Information Center, demonstrates just how spotty these are; in Arkansas, for example, there are no privacy laws pertaining to arrest records, bank records, insurance records or tax records, though laws protecting the privacy of these exist in some other states. Even so, in April 1997, the Social Security Administration was forced to shut down its web site after reports that it may have provided unauthorized access to information about individuals' personal income and retirement benefits on the Internet... information supposedly protected by the Privacy Act.
The Electronic Communication Privacy Act, enacted by Congress in 1986 to address privacy concerns in electronic communications, allows the government to obtain information from an online service provider only under warrant or subpoena. The ECPA also makes it a federal offense to intercept and/or read someone's email or other electronic communications without permission.
But (and it's a big but), system operators are excepted from this prohibition. They are given a special exception in order to do their jobs, but are prohibited from disclosing your communications unless one of the parties to the traffic (sender or receiver) gives permission. If you carefully read your Terms of Service (including WebTV's), you may discover that you have given permission just by saying "I Accept" to a long electronic document when you signed on.
The US vs Europe
The Clinton Administration's policy towards privacy has been that the industries involved in the collection and use of private data should regulate themselves. This has put the US at odds with the European Community, which has very strict privacy policies. The US' lack of privacy regulation regarding personal data may lead to conflict with European laws which require strict protections for entities collecting information on EC consumers. What happens when US websites collect information on its visitors from Europe? You can expect to hear more about this in the next few months as Europe moves to a standard currency and many of the EC regulations go into effect..
Is Self-Regulation Enough?
Even software bugs and glitches can release private information if it has been collected. As we previously reported in Net4TV Voice, HotMail, Excite and other "portals" collecting personal data have inadvertently revealed it by passing the user ID that retrieves personal pages in the "referring site" URL that webmasters see in their logs. Just this last week, Microsoft was forced to shut down its Microsoft Money update after it was revealed that users could modify a "reservation number" for an upgrade and access other people's personal information.
WebTV's own Terms of Service states:
4. WNI Communications. WNI may choose to forward occasional promotions to or communicate directly with to its subscribers via e-mail regarding certain information and/or special offers regarding the WebTV Network service that WNI deems of value and interest to its users. In these rare instances, WNI sends such information itself and does not provide any subscriber e-mail lists to any third party, even if the promotion or communication involves a partner, so as to ensure the protection of this information.
However, Net4TV has received email from Inergy into our Sony WebTV boxes that we use for development only and that have never been used for any email. An examination of the email headers, which addressed the primary subscriber by full name, shows that the email was sent directly from Inergy's mailserver and not from WebTV. WebTV's Terms of Service also states:
(2)B. Under strictly limited conditions, providing similar information to key corporate partners such as the manufacturers of the WebTV Product for their internal information purposes regarding product activation information.
We have been unable to determine whether the release of our subscriber information was by WebTV directly to Inergy, or whether it was released to Sony under the provision above and Sony sent it to Inergy. In any case, it points out that privacy statements are no guarantee of privacy, and once the data is in the hands of a third-party, even the most well-meaning data collector cannot keep it from being passed on.
The release of aggregate data -- surveys and demographics about the usage pattern of groups of people -- is not such an issue. You have no personal exposure if WebTV, the Census Bureau, or any other researcher releases the viewing habits of people in your town or age bracket. This type of information is used to tailor advertising and products to be more effective by targeting them at the demographics most likely to buy, but can't be used to track you down. The results may even be beneficial to you -- no more sitting through diaper ads when you have no kids.
The problem, of course, is that the source from which the aggregated data is compiled is personally identifying. There is little in place to keep the specific data about you from also being sold.
Why Should You Care?
"So what?" wrote one of our Net4TV Voice readers. "We've gotten junk mail for years, and it just goes in the round file. How is this different?"
If it were only a matter of junk mail or "targeted advertising," it might not matter. But once your information is available, it can be used in a variety of ways that you don't want:
- Identity theft. Ever had a charge that you didn't make appear on a credit card? You've just seen the tip of the iceberg. With your name and Social Security number, crooks can masquerade as you to get credit based on your credit history. It can be a nightmare that can take years to get all of the negative information removed from your credit records. People have even been arrested and jailed for crimes that were committed by someone who had stolen their identity.
- Stalking, Burglary. Did you get into a fight online? Did you tell someone about your coin collection? If they can get any personal identification on you, they can use online databases to find where you live, your phone number, and even get a map to your house.
- Lawsuits and Other Disputes. If you get into a dispute or a lawsuit, you may find that the other side has a lot of revealing information that it will try to use against you. When a shopper slipped and fell in a Von's supermarket, Von's used the records from his Von's Club card to try to show that he bought a lot of liquor and, by implication, was probably a drunk.
What Can You Do?
First, educate yourself. The ACLU provides a 12-point "Pocket Card" with tips on how to limit the personal information that is available about you.
In addition to the ACLU, numerous other entities including EPIC, the EFF, and the Privacy Clearinghouse are making efforts to demand legislation to protect consumer privacy. You'll find the links below.
Then, pick up your keyboard and write your Congressman and Senators. Tell them that you support the ACLU's Privacy Principles (no matter how you feel about the ACLU, this one's for you!):
- Your personal information should never be collected or given out without your knowledge
- Organizations must let you know why they're collecting your info; and they can't use it for reasons other than the one you gave permission for (unless they get a new permission from you.)
- They must ensure the privacy of the personal info they collect or maintain on you, retaining only what is necessary info, and only for as long as it's needed.
- You should have the right to examine, copy, and correct your own personal information.
- There must be no national ID system -- either in law or in practice.
- Unrelated data bases must be kept strictly separate so info can't be cross-referenced.
- Personal "biometric" data -- your fingerprints, DNA, retina/iris scans, etc. -- must not be
involuntarily captured or used (except for fingerprinting criminals.)
- The government must not prohibit or interfere with the development of technologies that
preserve anonymity (such as encryption).
- These principles should be enforceable by law. And no service, benefit or transaction should be conditioned on your waiving your privacy rights.
Let Us Know How You Feel
Your opinion matters! "How do you feel about privacy?" is our Question of the Week.
Links for More Information
The Electronic Communications Privacy Act
The Cable Television Privacy Act of 1994
Privacy Rights Clearinghouse
Consumer Concerns About Privacy Rights (Presentation to Office of Comptoller of Currency)
The Privacy Site
Microsoft Site Exposes User Information
AOL Revamps Security Policies
GeoCities Goes Public In More Ways Than One
ACLU Letter Regarding the Need for Online Privacy
The Electronic Frontier Foundation
Taking Aim on Privacy Policies
Arrgh! I've Got Cookies
Inside the Cookie Jar
The Other Articles in "Law and the Net"
Copyright Basics. What's copyrighted? What's not? How do you know what you can use and what will get you a nasty letter -- or more?
Dangerous Ground. Where you're likely to get into copyright trouble is when you try to push the edge. This article explains how to stay away from the dangerous ground.
Freedom of Speech. Can what you say and see online be censored? Yes and no -- this article explains your rights, the non-protected forms of speech, and the limitations that service providers can impose.
To Top of Page
Welcome to Net4TV Voice
Meet your fellow users who create
Net4TV Voice in the Masthead.
Net4TV, Net4TV Voice, Chat4TV, and Surfari
are trademarks of Net4TV Corporation
© 1998 - 2001, Net4TV Corporation. All Rights Reserved.