Privacy Issue: Big Browser Is Watching You
'You have zero privacy -
get over it!' Scott McNealy, CEO, Sun Microsystems.
The use of personal information as a
commodity which is collected by corporations with little regard
for the privacy of individuals has reached epidemic proportions.
The law has lagged behind as companies and government agencies
oppose new protections and demand greater access to information
for commercial and law enforcement purposes.
This information ranges from the
trivial to the most sensitive. It includes financial records,
medical records, details of reading habits, political opinions,
sexual interests and other data that most people consider private.
Much of this information is routinely collected by computers
connected to the Internet.
The misuse of information is behind
the stock-market valuation of many dotcom companies. They gather
personal information from visitors by offering personalised
services such as news searches, free email and stock portfolios.
They then sell that information to advertisers or allow
advertisers to access market segments. It is then repurposed by
government agencies, companies and individuals for any number of
uses ranging from unsolicited email (known as spam) to checking
job references, targeting advertising and conducting criminal
Banks use the information in a
practice called 'weblining' to determine who to give service to
and which customers to drop. According to Forrester Research,
nearly a quarter of US companies are using information gathered
from the Internet to develop detailed profiles of customers. Some
are going after the youth market. ZapMe loans computers and a
satellite link to schools then collects the names, addresses and
phone numbers of students and transfers that information to
Other information, such as credit
records, that was formerly available only to professionals such as
private detectives, is now available to anyone with a credit card.
In September 1999, 20-year-old Amy Boyer was gunned down after a
stalker used two information brokers to obtain her New Hampshire
The most controversial area has been
the identification of net users. Most users believe that they are
anonymous as they browse the net but in reality they leave behind
information trails that can be used to identify them. Companies
have been developing new ways to improve identification and merge
user identities with real names and personal information.
The most pervasive tracking
technology is the cookie. The cookie is a small file containing a
serial number that is placed on a user's hard drive by a website.
Cookies were developed to improve websites' ability to track users
over a session. The cookie can also notify the site that the user
has returned and can allow the site to track the user's habits
across many different visits.
when it was realised that a single cookie could be used by many
different sites. This led to the development of advertising
network companies that can track users across thousands of sites.
The largest ad service is DoubleClick, which has agreements with
over 11,000 websites and maintains cookies on 100 million users,
each linking to hundreds of pieces of information about the user's
In 1999, DoubleClick announced that
it was buying Abacus, owner of the largest direct marketing lists
in the country with information on the purchasing habits of 90% of
all US households, and that DoubleClick was going to merge
information from the purchasing databases with information from
Following criticism, the Federal
Trade Commission and several state attorney generals are
challenging the merger of the information without the consent of
the users. Not satisfied with cookies, which can be deleted by a
user, the computer industry is now trying permanent methods of
In 1999, Intel announced that it was
including a serial number in each new Pentium III chip that could
be accessed by websites and internal corporate networks. Most of
the manufacturers suppressed the number after a consumer boycott
was announced. Meanwhile, Microsoft and RealAudio were caught
using the internal networking number found in most computers as
The Internet Engineering Task Force
has developed specifications for the next version of the
Internet's underlying protocols called IPv6 that will assign a
unique permanent ID number to every device hooked into the net -
one day including your refrigerator and VCR. Who needs cookies
when your refrigerator will inform on you?
Other companies are trying a
different approach, offering to become 'information brokers'.
Under many of these systems, the users provide information to the
company who then provide it to the third-party website with the
consent of the user. Many of these systems, such as Microsoft's
Passport and the World Wide Web Consortium's (W3C) Platform for
Privacy Preferences (P3P), are designed more to facilitate data
sharing than to protect users.
They are also frequently used by
industry as justification for not passing laws. Internet security
also raises serious problems for privacy. In April 2000, it was
revealed that an unknown Microsoft engineer had included a
backdoor into its webserver software. If someone typed 'Netscape
engineers are weenies!' backwards, they would have full control of
websites and associated data.
De Beers lost 35,000 names,
addresses, phone numbers and email addresses of people inquiring
about buying diamonds following a security breach in March. To
respond to these challenges, many countries are adopting new laws.
The European Union enacted two data protection directives in 1995
and 1997 to extend privacy protections.
Nearly 40 countries have
comprehensive laws or are in the process of adopting them.
However, the US government refuses to accept these international
standards. The official policy of the US government is to oppose
privacy laws and to promote industry self-regulation. In limited
areas, it supports sectoral laws.
For instance, there are laws that
cover records generated by video rentals and ensure the privacy of
some email. The only solid law that has passed on Internet privacy
covered the collection of information on children under the age of
Perhaps the biggest difference
between the European approach and that in the US is the lack of a
government body that provides for oversight and enforcement. The
US Federal Trade Commission has a very limited jurisdiction over
'false and deceptive practices'. Activists describe the agency as
weak and ineffective. Each year, it conducts a survey of privacy
policies of websites that it always finds inadequate but then
calls again for industry self-regulation.
The industry also promotes
self-regulatory bodies TrustE and BBB Online which give out
'seals' to reassure net users that the sites support privacy.
However, these bodies receive large amounts of money from the
companies they are supposed to oversee, and have yet to sanction
any company for any privacy violation.
TrustE has refused to deal with
several issues against Microsoft, Intel and RealAudio. To respond
to the EU Data Protection Directive, the US Department of Commerce
proposed creating a 'Safe Harbour' for US companies to continue to
work with European partners without adequate legislation.
Under the agreement, US companies
voluntarily agree to follow a set of privacy principles more in
keeping with EU standards. With nothing to defend EU data in the
hands of US companies except self-regulation, European privacy and
consumer groups are considering suing if the agreement is
The endless list of privacy scandals
has led to a growing backlash as consumer and privacy groups have
organised campaigns and boycotts. Company stock prices have been
crushed when new abuses appear. Lawyers have filed class-action
suits based on computer crime laws against companies such as
RealAudio for violating privacy.
Several companies have backed down
from their controversial proposals and government agencies,
especially on state level, are starting to investigate company
practices. However, the lack of a federal agency to protect
privacy has hampered these efforts.
In Congress, two privacy caucuses
have been set up. Several hundred bills have been introduced in
the last two sessions but in the face of massive industry
donations and lobbying, not one Internet privacy bill has
David Banisar is a
Washington-based attorney and writer specialising in privacy,
freedom of information and communications issues. He is Deputy
Director of Privacy International and a Senior Fellow at the
Electronic Privacy Information Centre