FREE ESSAY ON PRIVACY CONSUMERS AND THE INTERNET

PRIVACY CONSUMERS AND THE INTERNET

Privacy
Consumers and the Internet
Introduction
A trend of great concern is the partnership of major consumer directory services with
companies that compile so called "public-records" databases. Such databases compile
records from a wide variety of government agencies, including courts, vital statistics
departments, tax rolls, elections records, or agencies that regulate professional
licenses. In addition, some companies also purchase data that is mined from
questionnaires, applications for credit cards, manufacturer's warranty information and
other commercial sources.
Revenues are often the primary motivators for state agencies that license or sell access
to their databases.
Web access to these data aggregators only broadens a growing problem inherent in these
data services: consumers do not have access to the public information maintained about
them and disseminated by the look-up services. Accordingly, consumers will not be able to
check for inaccuracies resulting from transcription or other errors occurring in the
process of obtaining or compiling the public information by the look-up services.
In addition to not being able to access the information maintained about them in these
massive data warehouses, many of the large data mining companies do not offer individuals
the ability to remove their personal data from the databases.
A wide array of personal information about each of us is kept electronically by others -
by medical insurers, employers, credit card companies, banks, phone companies and a wide
range of government and private agencies, some of which are in the business to sell our
personal information, no matter how private. And new technologies keep arising to
develop, collect, store and disseminate the most private information about each of us,
with few, if any legal protections. 
As a result, Americans suffered a record number of privacy violations, from marketing of
prescription drug information to government sales of Department of Motor Vehicles
information, including photos, to the Clinton Administration's plan to assign every
American a unique health identifier that could be used to create a giant database of our
medical records from cradle to grave, without adequate safeguards to prevent unauthorized
dissemination. 
Internet Privacy: an Oxymoron in Progress
A swirl of recent events only seems to confirm fears that consumers cannot trust their
privacy to the Internet.
There are many sources of the problem: data-hungry Internet firms bent on exploiting
personal information; inattention to security and persistent technological glitches; and
a growing underground of hackers who are willing to take advantage of the situation. 
Much of the recent attention was focused on DoubleClick, the Internet ad firm. But
several other less publicized incidents have added fuel to the fire. 
For instance, Outpost.com, a Web site offering palm pilots and other hi-tech gear,
promised to fix a glitch that potentially revealed customers' detailed transaction
summaries, including e-mail, billing and shipping addresses, type of credit card they
used, and their order history. 
Outpost.com customer James Wynn noticed his order number was in his URL address. When he
changed digits in the URL address, he was able to see other customers' orders. Craig
Andrews, an Outpost.com spokesman, told Wired News the problem would be fixed January 24,
the day that it was brought to the company's attention.
In Jacksonville, Florida, the credit card information of 227 area customers of local ISP
Community Connections has been exposed for two years because of a glitch in Microsoft
Front Page, software that allows subscribers to sign up online. According to the January
28 Gainesville Sun, one of the ISP's customers discovered the Web address to find the
credit card numbers as well as other subscriber data, including name, address, telephone
number and passwords. The customer alerted the newspaper, which informed the ISP.
Community Connections corrected the error and sent all exposed customers a certified
letter explaining the situation.
Tom Bailey, Microsoft product manager for Front Page, said Microsoft two years ago
instructed ISPs to fix the problem with a free patch. Since it had been over two years
when we first discovered this potential problem, we were pretty confident that it had
been resolved, Bailey said. Until today. He added that Microsoft would again contact
ISPs. He would not specify how many ISPs he believed to be using the vulnerable, 1997-98
versions of Front Page. Community Connections stressed that there had been no reported
victims of credit fraud from the glitch. 
The impact of these and other security glitches is softened for some by the fact that no
one was really hurt. That is why a January 30 story out of the San Jose Mercury News is
more unsettling. A network of hackers is constantly seeking to take advantage of
weaknesses in ever more popular, high-speed DSL Internet connection services. These
hackers are not after you, but want to take over your computer in order to launch attacks
on others while hiding their identities. 
It is not the speed of the connection, but the fact that the user is typically connected
for much longer periods of time. A hacker who identified himself as alkali said he is
always searching for unsecured home systems with a high-speed connection, which he values
because he can move data more rapidly. Cable modems changed my life, he claimed. 
Jerry Asher, a Berkeley subscriber to a Pac Bell DSL service, said he installed a
firewall that recently documented attacks from hackers with Internet addresses in North
Korea, Germany and Serbia. German hackers, for instance, checked to see if Asher's
computer had three different types of software that could be used to communicate with
other computer networks, such as a corporate system. Asher said that Pac Bell does not
warn consumers of possible security problems, and that most do not have firewalls.
Darren Newell, a data security director for SBC Communications, Pacific Bell's parent
company, said the firm soon plans to use its Web site to caution consumers about online
security issues. But it does not tell customers who sign up for $49-a-month home DSL
lines about the risks and how to avoid them.
The computers at the Energy Department's Lawrence Livermore National Lab are under daily
assault from would-be intruders, according to William Orvis, the Lab's computer security
expert. Orvis said he has seen plenty of evidence that hackers break into home computers
and use them to mount attacks on others. The consequences for innocent users can be
catastrophic. 
"If we see an attack coming from somebody's home machine, we're going to ask your ISP to
disconnect you,"' Orvis said. Those who get caught up in a serious security breach may
find law enforcement authorities seizing their equipment and examining it to try to track
down the hacker and develop evidence for a criminal prosecution.
Bob Sullivan of MSNBC reported on an Internet chat room where carders buy and sell credit
card numbers stolen from the Internet. The electronic scene resembles a combination of a
commodity traders' floor and a street corner of drug dealers. Typically, a carder posts a
claim that he has a "fresh list of cards," and then to prove it, he posts a sample card,
including billing address, phone number, etc., into the open chat room. A feeding frenzy
follows. A participant reports that the sample card is maxed out within 10 minutes, and
then others jump in to buy the remaining list.
One anonymous source across a list of 10,000 or 20,000 numbers, and it took two days to
figure out who to contact. There is no Web page or e-mail address set up by credit card
companies like Visa to help report fraudulent activity. A spokeswoman for Visa said her
company does monitor a number of public sources of information, but declined to offer
details, saying that would compromise the company's monitoring methods. Told of a freshly
posted Web page with an exposed credit card number, she replied: You can assume we
already know about that. 
A great deal is at stake - for Visa alone, there was $487 million in fraudulent charges
reported last year - but that's still a fraction of the $700 billion in total sales.
"What's more," Visa says, "fraud rates are actually down, and fraud rates on Net
transactions are only slightly higher than real-world rates" (.09 percent to .07
percent).
In Rome, Italian Privacy Commissioner Stefano Rodota ordered Infostrada, the country's
second-largest telecom, to temporarily shut down its free ISP service for violating
national privacy laws. The free service, Libero, required users to disclose their age,
health status, sexual habits, as well as political, labor, and religious preferences, an
unlawful imposition, Rodota said. 
He added that his office will be designing a series of guidelines for Internet services
and contracts that will insure companies like Infostrada do not trample privacy. He is
looking into other free Internet services as well. Infostrada admitted the original
contract for Libero service did, in fact, conflict with privacy rules and took immediate
action to correct the problem. A company spokesperson said that it was merely an
oversight. The information required was utilized for marketing purposes, as the access
for free Internet is compensated by advertising, and not to spy on users.
Informed Customer Consent 
After conducting an opinion survey of Internet users, a database-marketing firm has
recommended that e-commerce Web sites post clear privacy policies and obtain the informed
consent of their customers before using their data.
"At the minimum, make sure all information is collected using the fundamentals of
permission marketing. This means 'opt-in' should be the default," wrote Cyber Dialogue a
market research and database marketing company. 
Web sites should always facilitate an easy opt-out procedure on every communication. This
does not mean opt-in opens the floodgates, rather it is only the first step in
establishing a continuous dialogue with a company's most valuable customers. Consumer
ignorance about terms like 'opt in' should not be taken advantage of.
The survey found there was a strong desire for personalization among Internet consumers
and a growing awareness of cookies and other data collection practices. Increasing
numbers are willing to give their names and other demographic data in exchange for
personalization. What many will not accept, however is the distribution of personal
information, including age, name, education, address, salary or credit card number -
without permission or compensation.
The survey found that 88% were willing to give their name, compared to 67% in 1997.
Nearly 90% were willing to give level of education, age, hobbies and attitudes toward the
Internet. Some 59% were willing to give household income, compared to 44% in 1997; 41%
would reveal salary, compared to 29% in 1997; and 13% were willing to give a credit card
number, compared to 4% in 1997.
While 38% of online users see the benefit of receiving targeted marketing messages from a
personalized site, they do not appreciate targeted messages from sites that they have not
personalized or registered with, as it is a clear indication that their information has
been disclosed to a third party. Web sites should not mistake a consumer's need for
relevant content as a sign of tolerance for unsolicited marketing messages.
Over 95% of "cybercitizens" have received unsolicited e-mail and the consensus is strong
- they are clearly annoyed and have taken steps to prevent it. This marketing technique,
also known as spam, is ineffective to the point of being counter-productive.
Cyber Dialogue recommended that Web sites only collect information that is absolutely
necessary and treat it with respect. 
While published privacy policies are commonly used to inform users of the company's
practice and gain their trust, the reality is that these policies are often
inconspicuously placed on the site, full of legal jargon and difficult to understand.
The long-term gain of retaining high-value customers clearly outweighs short-term gain of
selling them out. Building a two-way dialogue is what this medium is all about.
Privacy protection is an issue that is not top-of-mind among consumers, but as soon as it
is violated, the latent-sleeping giant awakes. Web sites should assure its customers that
they are proactively on guard to protect their customers' right to privacy. Companies
should never compromise this commitment for short-lived benefits.
Informed consent of the customers is vital to the use of e-data.
Pay-to-Surf Companies
Software programs circulating on the Internet are secretly using anonymous web browsers
and other anonymizing services to defraud companies that pay Web users to surf the
Internet. 
Often called "pay-to-sleep" programs, such software has been circulated on popular
Internet bulletin boards and chat rooms. The programs simulate web surfing on a computer
while the user is away, generating funds from a pay-to-surf service. These programs rely
on many anonymous web browsers to "launder" their web surfing. This slows the surfing for
others using anonymous services, compelling the operators to pay for faster and more
expensive Internet connections to the Web servers that run their site.
Defrauding pay-to-surf companies has become the latest scam in cyberspace. In the world
of electronic commerce such a scenario is the cyber equivalent of discovering the local
drug dealer has commandeered your store's pay phone, or learning that your accountant is
laundering funds through your business.
It also places the operators of anonymous sites in an ethical quandary: If your site is
designed for anyone to use for any anonymous purpose, do you have a right to complain if
someone is using it for a purpose that you find objectionable?
"We have to, on the one hand, say 'We don't care what you do,' and on the other hand say
'We may not care what you do, but if you are doing something that we know of, that is
circumventing the controls on our browser, you will be banned'," said Steven Watsky,
president of the Prague-based Websperts.net computer consulting company. "We are in the
unique position of not having to have records, yet we have to keep a certain record, a
404 log, so that our bandwidth does not get eaten up," he added.
Watsky hopes to turn his "Clandestination" anonymous browser into a "Swiss bank on the
Internet," a subpoena-proof, untraceable site that will keep no records whatsoever of
what users do with the browser. Now soliciting venture capital, Watsky plans to relocate
his server to a foreign country-that he declined to name-that is exempt from
international laws requiring him to comply with subpoenas for user records.
But six weeks ago, after changing the file name of his anonymous browser, Watsky
discovered that a few IP addresses were hitting his site thousands of times looking for
the old file name. 
"If we see a great number of files not found, you are doing one of two things: You are
either using an outdated address for our browser, or you are doing something on our site
that you should not be doing," Watsky said.
Meanwhile, however, Watsky said the fraudulent software programs are clogging his browser
and placing a drag on his server with tens of thousands of erroneous hits. After a single
IP address logged 500 404s, he did some research. He tracked the user to an address on a
free Web hosting service, and was surprised at what he found.
The software program in use, called MoveThis!, was tied into virtually every anonymous
service in the world, Watsky said. "He had a foolproof way of you being able to score
points and the pay-to-surf services would not know that you had lied about the number of
points or that you had loaded up the points yourself," he said.
Privacy Times found copies of MoveThis! and similar programs on the betanews.com Website,
a reputable site that posts pre-release versions of commercial software, shareware, and
freeware programs. Other programs on betanews included allMouse and Fake Surf, all touted
as programs designed to simulate Web surfing.
Watsky said that for the past six weeks he has been playing a cat and mouse game with
users of the software. The only way he was able to shut off the offending users was to go
directly to the pay-to-surf companies with the account numbers of the perpetrators.
Guerrilla War on Nosy Sites
Dot coms have been caught snooping all summer-and a new privacy survey of over 1,000
Internet surfers shows they are striking back. The dispute du jour involves Pharmatrak.
Privacy advocates accused the Boston technology firm of secretly tracking the Web habits
of those who visit the sites of eleven pharmaceutical giants, including Pfizer,
Pharmacia, and SmithKline Beecham. By using tiny computer data tags called 'cookies,
Pharmatrak records the browsing habits of users wanting to know more about various
medical conditions such as herpes, allergies, and drug addiction.
While Pharmatrak officials say they track users anonymously, the company's Web site
states that in the future it may personally identify visitors.
Deception apparently begets deception. A study released by the Pew Internet and American
Life Project found that about one quarter of Net users have provided phony personal data
to Web sites: invented e-mail addresses, fake Social Security numbers, and alter egos
complete with bogus incomes, genders, and hobbies. These guerrilla tactics serve the dual
purposes of camouflaging the surfer while also distorting the data collected online.
Lying has become more socially acceptable because of how rampant and out of control the
privacy violations are, says Carrie McLaren, editor of Stay Free!, a magazine that
advocates online deceit.
Like previous privacy studies, the Pew survey found an overwhelming share of Internet
users-86 percent-are worried about the privacy of their personal data online. For some
surfers the solution is to do nothing. Nearly half of those online have not yet provided
their real e-mail addresses, names, or other personal info to a Web site. (This group
includes mostly people who click away from a Web site when asked for data, but also those
who have never been asked, and those who lie.) While this lack of participation does not
prevent Web companies from collecting data, it keeps the surfer's online profile
anonymous. The study also found that few consumers use software designed to protect their
online privacy.
The only privacy tools users really have are dishonesty and overly complicated
technologies. Only five percent of surfers have used a program that cloaks a user's
identity from Web sites.
The Pew study found that 86 percent of Net users want opt-in privacy policies that would
require companies to win their permission before using personal information. But that
runs counter to industry practices. An agreement negotiated between a group of the
largest Web advertisers and the Federal Trade Commission generally places the burden on
the consumer to "opt out of such data collection.
Until online privacy policies change, the Pew study suggests consumers thirst for
vengeance. If a company violates its online policy, 94 percent of Net users want its
executives punished - eleven percent even favor jail time. 
Summary
The use of online deception tactics such as fake names highlights the
compartmentalization that is the basic tool of people who want to control their privacy.
Judith Donath, an MIT professor who studies identity and online behavior, says that until
Web sites design spaces that are clearly public or private, users will have trouble
choosing what information to share and what to hide. She adds that such fundamental
decisions about what to share "shouldn't be about reading the fine print" of a Web site's
privacy policy, but instead should be as obvious as the difference between staying in the
privacy of your own home versus walking down the street. When a user is in "public"
Internet space such as an online store, she suggests, the user would be correct in
assuming that her movements are watched. When the user was in "private" space, he would
have the right to expect that nothing about his activities there would be monitored,
gathered into a profile, or sold to anyone or any firm unless he authorized it. Just as
people act one way in their dens and another way at a party, Internet users want to make
sure that the Internet world recognizes nuances about when "public" and viewable events
are occurring as opposed to "private and sensitive communications.
Internet users may not know all the tricks when it comes to protecting their privacy
online, but they know problems when they see them. And if their trust is betrayed, they
want vengeance.
The Federal Trade Commission currently lacks the authority to enforce privacy standards
on commercial Web sites, unless the content is directed at children. In May of this year,
the FTC released a report on privacy online that noted that "only 20% of the busiest
sites" implemented the four widely-accepted fair information practices: 1) notice,
displaying a clear and conspicuous privacy policy, 2) choice, allowing consumers to
control the dissemination of information they provide to a site, 3) access, opening up
the customer's personal information file for inspection, and 4) security, protecting the
information from consumers. The commission maintained that industry self-regulation had
fallen short. Even as it agreed to a self-regulation scheme with Internet advertisers,
the FTC called on Congress to expand the agency's enforcement power "to ensure adequate
protection of consumer privacy online."
In their attitudes, Internet users express considerable fears about a number of problems
they might face online. They report, though, that the actual incidence of online problems
is not very substantial. Finally, despite those fears, they behave in surprisingly
trusting ways in many sensitive online areas. However, those fears cannot be discounted
because they do seem to inhibit some groups, especially Internet novices and parents,
from participating in some kinds of Internet activities.
Concerns about privacy are notably higher among some groups, especially Internet novices
(those who first got online within the past six months), parents, older Americans, and
women. In some instances, these fears are associated with lower participation in some
online activities, especially commercial and social activities. There is no way to know
yet whether these groups will eventually become more comfortable and less fearful in the
online world or whether their wariness will permanently limit their use of the Internet
until their concerns about protecting personal information are met.