Navigation Bar

Issue 3, 2000
 News & Analysis

The Privacy Issue: Big Browser Is Watching You
David Banisar

'You have zero privacy - get over it!' Scott McNealy, CEO, Sun Microsystems.

The use of personal information as a commodity which is collected by corporations with little regard for the privacy of individuals has reached epidemic proportions. The law has lagged behind as companies and government agencies oppose new protections and demand greater access to information for commercial and law enforcement purposes.

This information ranges from the trivial to the most sensitive. It includes financial records, medical records, details of reading habits, political opinions, sexual interests and other data that most people consider private. Much of this information is routinely collected by computers connected to the Internet.

The misuse of information is behind the stock-market valuation of many dotcom companies. They gather personal information from visitors by offering personalised services such as news searches, free email and stock portfolios. They then sell that information to advertisers or allow advertisers to access market segments. It is then repurposed by government agencies, companies and individuals for any number of uses ranging from unsolicited email (known as spam) to checking job references, targeting advertising and conducting criminal investigations.

Banks use the information in a practice called 'weblining' to determine who to give service to and which customers to drop. According to Forrester Research, nearly a quarter of US companies are using information gathered from the Internet to develop detailed profiles of customers. Some are going after the youth market. ZapMe loans computers and a satellite link to schools then collects the names, addresses and phone numbers of students and transfers that information to corporate sponsors.

Other information, such as credit records, that was formerly available only to professionals such as private detectives, is now available to anyone with a credit card. In September 1999, 20-year-old Amy Boyer was gunned down after a stalker used two information brokers to obtain her New Hampshire address.

The most controversial area has been the identification of net users. Most users believe that they are anonymous as they browse the net but in reality they leave behind information trails that can be used to identify them. Companies have been developing new ways to improve identification and merge user identities with real names and personal information.

The most pervasive tracking technology is the cookie. The cookie is a small file containing a serial number that is placed on a user's hard drive by a website. Cookies were developed to improve websites' ability to track users over a session. The cookie can also notify the site that the user has returned and can allow the site to track the user's habits across many different visits.

The use of cookies expanded greatly when it was realised that a single cookie could be used by many different sites. This led to the development of advertising network companies that can track users across thousands of sites. The largest ad service is DoubleClick, which has agreements with over 11,000 websites and maintains cookies on 100 million users, each linking to hundreds of pieces of information about the user's browsing habits.

In 1999, DoubleClick announced that it was buying Abacus, owner of the largest direct marketing lists in the country with information on the purchasing habits of 90% of all US households, and that DoubleClick was going to merge information from the purchasing databases with information from online browsing.

Following criticism, the Federal Trade Commission and several state attorney generals are challenging the merger of the information without the consent of the users. Not satisfied with cookies, which can be deleted by a user, the computer industry is now trying permanent methods of identifying users.

In 1999, Intel announced that it was including a serial number in each new Pentium III chip that could be accessed by websites and internal corporate networks. Most of the manufacturers suppressed the number after a consumer boycott was announced. Meanwhile, Microsoft and RealAudio were caught using the internal networking number found in most computers as another identifier.

The Internet Engineering Task Force has developed specifications for the next version of the Internet's underlying protocols called IPv6 that will assign a unique permanent ID number to every device hooked into the net - one day including your refrigerator and VCR. Who needs cookies when your refrigerator will inform on you?

Other companies are trying a different approach, offering to become 'information brokers'. Under many of these systems, the users provide information to the company who then provide it to the third-party website with the consent of the user. Many of these systems, such as Microsoft's Passport and the World Wide Web Consortium's (W3C) Platform for Privacy Preferences (P3P), are designed more to facilitate data sharing than to protect users.

They are also frequently used by industry as justification for not passing laws. Internet security also raises serious problems for privacy. In April 2000, it was revealed that an unknown Microsoft engineer had included a backdoor into its webserver software. If someone typed 'Netscape engineers are weenies!' backwards, they would have full control of websites and associated data.

De Beers lost 35,000 names, addresses, phone numbers and email addresses of people inquiring about buying diamonds following a security breach in March. To respond to these challenges, many countries are adopting new laws. The European Union enacted two data protection directives in 1995 and 1997 to extend privacy protections.

Nearly 40 countries have comprehensive laws or are in the process of adopting them. However, the US government refuses to accept these international standards. The official policy of the US government is to oppose privacy laws and to promote industry self-regulation. In limited areas, it supports sectoral laws.

For instance, there are laws that cover records generated by video rentals and ensure the privacy of some email. The only solid law that has passed on Internet privacy covered the collection of information on children under the age of 13.

Perhaps the biggest difference between the European approach and that in the US is the lack of a government body that provides for oversight and enforcement. The US Federal Trade Commission has a very limited jurisdiction over 'false and deceptive practices'. Activists describe the agency as weak and ineffective. Each year, it conducts a survey of privacy policies of websites that it always finds inadequate but then calls again for industry self-regulation.

The industry also promotes self-regulatory bodies TrustE and BBB Online which give out 'seals' to reassure net users that the sites support privacy. However, these bodies receive large amounts of money from the companies they are supposed to oversee, and have yet to sanction any company for any privacy violation.

TrustE has refused to deal with several issues against Microsoft, Intel and RealAudio. To respond to the EU Data Protection Directive, the US Department of Commerce proposed creating a 'Safe Harbour' for US companies to continue to work with European partners without adequate legislation.

Under the agreement, US companies voluntarily agree to follow a set of privacy principles more in keeping with EU standards. With nothing to defend EU data in the hands of US companies except self-regulation, European privacy and consumer groups are considering suing if the agreement is approved.

The endless list of privacy scandals has led to a growing backlash as consumer and privacy groups have organised campaigns and boycotts. Company stock prices have been crushed when new abuses appear. Lawyers have filed class-action suits based on computer crime laws against companies such as RealAudio for violating privacy.

Several companies have backed down from their controversial proposals and government agencies, especially on state level, are starting to investigate company practices. However, the lack of a federal agency to protect privacy has hampered these efforts.

In Congress, two privacy caucuses have been set up. Several hundred bills have been introduced in the last two sessions but in the face of massive industry donations and lobbying, not one Internet privacy bill has advanced.

David Banisar is a Washington-based attorney and writer specialising in privacy, freedom of information and communications issues. He is Deputy Director of Privacy International and a Senior Fellow at the Electronic Privacy Information Centre

We plan a major redevelopent of the Index website in 2000, to make it even more informative and challenging. To help us do the job well we need to know what you think about the site as it is now - and what it should be like in the future.
Please fill in the online questionnaire on the
Feedback page.

Cartoon Gallery An exhibition of censored cartoonists from around the world

1996 Winner of the Utne Alternative Press Award for General Excellence

1997 Winner of the Prince Claus Prize for initiatives in literature and development


Euro Flag
This site is supported by the European Commission

OneWorld Online Home Page [Index ]

[Blue Ribbon Campaign]

Send questions or comments to
Copyright © 2000

About Index Subscribe Coverstory Latest News NetWatch
Feedback Back Issues Links Index Index Features