A trend of great concern is the partnership of major consumer directory services with companies that compile so called “public-records” databases. Such databases compile records from a wide variety of government agencies, including courts, vital statistics departments, tax rolls, elections records, or agencies that regulate professional licenses. In addition, some companies also purchase data that is mined from questionnaires, applications for credit cards, manufacturer’s warranty information and other commercial sources.
Revenues are often the primary motivators for state agencies that license or sell access to their databases.
Web access to these data aggregators only broadens a growing problem inherent in these data services: consumers do not have access to the public information maintained about them and disseminated by the look-up services. Accordingly, consumers will not be able to check for inaccuracies resulting from transcription or other errors occurring in the process of obtaining or compiling the public information by the look-up services.
In addition to not being able to access the information maintained about them in these massive data warehouses, many of the large data mining companies do not offer individuals the ability to remove their personal data from the databases.
A wide array of personal information about each of us is kept electronically by others – by medical insurers, employers, credit card companies, banks, phone companies and a wide range of government and private agencies, some of which are in the business to sell our personal information, no matter how private. And new technologies keep arising to develop, collect, store and disseminate the most private information about each of us, with few, if any legal protections.
As a result, Americans suffered a record number of privacy violations, from marketing of prescription drug information to government sales of Department of Motor Vehicles information, including photos, to the Clinton Administration’s plan to assign every American a “unique health identifier” that could be used to create a giant database of our medical records from cradle to grave, without adequate safeguards to prevent unauthorized dissemination.
Internet Privacy: an Oxymoron in Progress
A swirl of recent events only seems to confirm fears that consumers cannot trust their privacy to the Internet.
There are many sources of the problem: data-hungry Internet firms bent on exploiting personal information; inattention to security and persistent technological glitches; and a growing underground of hackers who are willing to take advantage of the situation.
Much of the recent attention was focused on DoubleClick, the Internet ad firm. But several other less publicized incidents have added fuel to the fire.
For instance, Outpost.com, a Web site offering palm pilots and other hi-tech gear, promised to fix a glitch that potentially revealed customers’ detailed transaction summaries, including e-mail, billing and shipping addresses, type of credit card they used, and their order history.
Outpost.com customer James Wynn noticed his order number was in his URL address. When he changed digits in the URL address, he was able to see other customers’ orders. Craig Andrews, an Outpost.com spokesman, told Wired News the problem would be fixed January 24, the day that it was brought to the company’s attention.
In Jacksonville, Florida, the credit card information of 227 area customers of local ISP Community Connections has been exposed for two years because of a glitch in Microsoft Front Page, software that allows subscribers to sign up online. According to the January 28 Gainesville Sun, one of the ISP’s customers discovered the Web address to find the credit card numbers as well as other subscriber data, including name, address, telephone number and passwords. The customer alerted the newspaper, which informed the ISP. Community Connections corrected the error and sent all “exposed” customers a certified letter explaining the situation.
Tom Bailey, Microsoft product manager for Front Page, said Microsoft two years ago instructed ISPs to fix the problem with a free patch. “Since it had been over two years when we first discovered this potential problem, we were pretty confident that it had been resolved,” Bailey said. “Until today.” He added that Microsoft would again contact ISPs. He would not specify how many ISPs he believed to be using the vulnerable, 1997-98 versions of Front Page. Community Connections stressed that there had been no reported victims of credit fraud from the glitch.
The impact of these and other security glitches is softened for some by the fact that “no one was really hurt.” That is why a January 30 story out of the San Jose Mercury News is more unsettling. A network of hackers is constantly seeking to take advantage of weaknesses in ever more popular, high-speed “DSL” Internet connection services. These hackers are not after you, but want to take over your computer in order to launch attacks on others while hiding their identities.
It is not the speed of the connection, but the fact that the user is typically connected for much longer periods of time. A hacker who identified himself as “alkali” said he is always searching for unsecured home systems with a high-speed connection, which he values because he can move data more rapidly. “Cable modems changed my life,” he claimed.
Jerry Asher, a Berkeley subscriber to a Pac Bell DSL service, said he installed a firewall that recently documented attacks from hackers with Internet addresses in North Korea, Germany and Serbia. German hackers, for instance, checked to see if Asher’s computer had three different types of software that could be used to communicate with other computer networks, such as a corporate system. Asher said that Pac Bell does not warn consumers of possible security problems, and that most do not have firewalls.
Darren Newell, a data security director for SBC Communications, Pacific Bell’s parent company, said the firm soon plans to use its Web site to caution consumers about online security issues. But it does not tell customers who sign up for $49-a-month home DSL lines about the risks and how to avoid them.
The computers at the Energy Department’s Lawrence Livermore National Lab are under daily assault from would-be intruders, according to William Orvis, the Lab’s computer security expert. Orvis said he has seen plenty of evidence that hackers break into home computers and use them to mount attacks on others. The consequences for innocent users can be catastrophic.
“If we see an attack coming from somebody’s home machine, we’re going to ask your ISP to disconnect you,”’ Orvis said. Those who get caught up in a serious security breach may find law enforcement authorities seizing their equipment and examining it to try to track down the hacker and develop evidence for a criminal prosecution.
Bob Sullivan of MSNBC reported on an Internet chat room where “carders” buy and sell credit card numbers stolen from the Internet. The electronic scene resembles a combination of a commodity traders’ floor and a street corner of drug dealers. Typically, a carder posts a claim that he has a “fresh list of cards,” and then to prove it, he posts a sample card, including billing address, phone number, etc., into the open chat room. A feeding frenzy follows. A participant reports that the “sample” card is maxed out within 10 minutes, and then others jump in to buy the remaining list.
One anonymous source across a “list of 10,000 or 20,000 numbers, and it took two days to figure out who to contact.” There is no Web page or e-mail address set up by credit card companies like Visa to help report fraudulent activity. A spokeswoman for Visa said her company does monitor a number of public sources of information, but declined to offer details, saying that would compromise the company’s monitoring methods. Told of a freshly posted Web page with an exposed credit card number, she replied: “You can assume we already know about that.”
A great deal is at stake — for Visa alone, there was $487 million in fraudulent charges reported last year — but that’s still a fraction of the $700 billion in total sales. “What’s more,” Visa says, “fraud rates are actually down, and fraud rates on Net transactions are only slightly higher than real-world rates” (.09 percent to .07 percent).
In Rome, Italian Privacy Commissioner Stefano Rodota ordered Infostrada, the country’s second-largest telecom, to temporarily shut down its free ISP service for violating national privacy laws. The free service, Libero, required users to disclose their age, health status, sexual habits, as well as political, labor, and religious preferences, an unlawful imposition, Rodota said.
He added that his office will be designing a series of guidelines for Internet services and contracts that will insure companies like Infostrada do not trample privacy. He is looking into other free Internet services as well. Infostrada admitted the original contract for Libero service did, in fact, conflict with privacy rules and took immediate action to correct the problem. A company spokesperson said that it was merely an oversight. The information required was utilized for marketing purposes, as the access for free Internet is compensated by advertising, and not to “spy” on users.
After conducting an opinion survey of Internet users, a database-marketing firm has recommended that e-commerce Web sites post clear privacy policies and obtain the informed consent of their customers before using their data.
“At the minimum, make sure all information is collected using the fundamentals of permission marketing. This means ‘opt-in’ should be the default,” wrote Cyber Dialogue a market research and database marketing company.
Web sites should always facilitate an easy opt-out procedure on every communication. This does not mean opt-in opens the floodgates, rather it is only the first step in establishing a continuous dialogue with a company’s most valuable customers. Consumer ignorance about terms like ‘opt in’ should not be taken advantage of.
The survey found there was a strong desire for personalization among Internet consumers and a growing awareness of cookies and other data collection practices. Increasing numbers are willing to give their names and other demographic data in exchange for personalization. What many will not accept, however is the distribution of personal information, including age, name, education, address, salary or credit card number – without permission or compensation.
The survey found that 88% were willing to give their name, compared to 67% in 1997. Nearly 90% were willing to give level of education, age, hobbies and attitudes toward the Internet. Some 59% were willing to give household income, compared to 44% in 1997; 41% would reveal salary, compared to 29% in 1997; and 13% were willing to give a credit card number, compared to 4% in 1997.
While 38% of online users see the benefit of receiving targeted marketing messages from a personalized site, they do not appreciate targeted messages from sites that they have not personalized or registered with, as it is a clear indication that their information has been disclosed to a third party. Web sites should not mistake a consumer’s need for relevant content as a sign of tolerance for unsolicited marketing messages.
Over 95% of “cybercitizens” have received unsolicited e-mail and the consensus is strong – they are clearly annoyed and have taken steps to prevent it. This marketing technique, also known as spam, is ineffective to the point of being counter-productive.
Cyber Dialogue recommended that Web sites only collect information that is absolutely necessary and “treat it with respect.”
While published privacy policies are commonly used to inform users of the company’s practice and gain their trust, the reality is that these policies are often inconspicuously placed on the site, full of legal jargon and difficult to understand.
The long-term gain of retaining high-value customers clearly outweighs short-term gain of selling them out. Building a two-way dialogue is what this medium is all about.
Privacy protection is an issue that is not top-of-mind among consumers, but as soon as it is violated, the latent-sleeping giant awakes. Web sites should assure its customers that they are proactively on guard to protect their customers’ right to privacy. Companies should never compromise this commitment for short-lived benefits.
Informed consent of the customers is vital to the use of e-data.
Software programs circulating on the Internet are secretly using anonymous web browsers and other anonymizing services to defraud companies that pay Web users to surf the Internet.
Often called “pay-to-sleep” programs, such software has been circulated on popular Internet bulletin boards and chat rooms. The programs simulate web surfing on a computer while the user is away, generating funds from a pay-to-surf service. These programs rely on many anonymous web browsers to “launder” their web surfing. This slows the surfing for others using anonymous services, compelling the operators to pay for faster and more expensive Internet connections to the Web servers that run their site.
Defrauding pay-to-surf companies has become the latest scam in cyberspace. In the world of electronic commerce such a scenario is the cyber equivalent of discovering the local drug dealer has commandeered your store’s pay phone, or learning that your accountant is laundering funds through your business.
It also places the operators of anonymous sites in an ethical quandary: If your site is designed for anyone to use for any anonymous purpose, do you have a right to complain if someone is using it for a purpose that you find objectionable?
“We have to, on the one hand, say ‘We don’t care what you do,’ and on the other hand say ‘We may not care what you do, but if you are doing something that we know of, that is circumventing the controls on our browser, you will be banned’,” said Steven Watsky, president of the Prague-based Websperts.net computer consulting company. “We are in the unique position of not having to have records, yet we have to keep a certain record, a 404 log, so that our bandwidth does not get eaten up,” he added.
Watsky hopes to turn his “Clandestination” anonymous browser into a “Swiss bank on the Internet,” a subpoena-proof, untraceable site that will keep no records whatsoever of what users do with the browser. Now soliciting venture capital, Watsky plans to relocate his server to a foreign country—that he declined to name—that is exempt from international laws requiring him to comply with subpoenas for user records.
But six weeks ago, after changing the file name of his anonymous browser, Watsky discovered that a few IP addresses were hitting his site thousands of times looking for the old file name.
“If we see a great number of files not found, you are doing one of two things: You are either using an outdated address for our browser, or you are doing something on our site that you should not be doing,” Watsky said.
Meanwhile, however, Watsky said the fraudulent software programs are clogging his browser and placing a drag on his server with tens of thousands of erroneous hits. After a single IP address logged 500 404s, he did some research. He tracked the user to an address on a free Web hosting service, and was surprised at what he found.
The software program in use, called MoveThis!, was tied into virtually every anonymous service in the world, Watsky said. “He had a foolproof way of you being able to score points and the pay-to-surf services would not know that you had lied about the number of points or that you had loaded up the points yourself,” he said.
Privacy Times found copies of MoveThis! and similar programs on the betanews.com Website, a reputable site that posts pre-release versions of commercial software, shareware, and freeware programs. Other programs on betanews included allMouse and Fake Surf, all touted as programs designed to simulate Web surfing.
Watsky said that for the past six weeks he has been playing a cat and mouse game with users of the software. The only way he was able to shut off the offending users was to go directly to the pay-to-surf companies with the account numbers of the perpetrators.
Dot coms have been caught snooping all summer–and a new privacy survey of over 1,000 Internet surfers shows they are striking back. The dispute du jour involves Pharmatrak. Privacy advocates accused the Boston technology firm of secretly tracking the Web habits of those who visit the sites of eleven pharmaceutical giants, including Pfizer, Pharmacia, and SmithKline Beecham. By using tiny computer data tags called ‘cookies,” Pharmatrak records the browsing habits of users wanting to know more about various medical conditions such as herpes, allergies, and drug addiction.
While Pharmatrak officials say they track users anonymously, the company’s Web site states that in the future it may personally identify visitors.
Deception apparently begets deception. A study released by the Pew Internet and American Life Project found that about one quarter of Net users have provided phony personal data to Web sites: invented e-mail addresses, fake Social Security numbers, and alter egos complete with bogus incomes, genders, and hobbies. These “guerrilla tactics” serve the dual purposes of camouflaging the surfer while also distorting the data collected online. “Lying has become more socially acceptable because of how rampant and out of control the privacy violations are,” says Carrie McLaren, editor of Stay Free!, a magazine that advocates online deceit.
Like previous privacy studies, the Pew survey found an overwhelming share of Internet users–86 percent–are worried about the privacy of their personal data online. For some surfers the solution is to do nothing. Nearly half of those online have not yet provided their real e-mail addresses, names, or other personal info to a Web site. (This group includes mostly people who click away from a Web site when asked for data, but also those who have never been asked, and those who lie.) While this lack of participation does not prevent Web companies from collecting data, it keeps the surfer’s online profile anonymous. The study also found that few consumers use software designed to protect their online privacy.
The only privacy tools users really have are dishonesty and overly complicated technologies. Only five percent of surfers have used a program that cloaks a user’s identity from Web sites.
The Pew study found that 86 percent of Net users want “opt-in” privacy policies that would require companies to win their permission before using personal information. But that runs counter to industry practices. An agreement negotiated between a group of the largest Web advertisers and the Federal Trade Commission generally places the burden on the consumer to “opt out” of such data collection.
Until online privacy policies change, the Pew study suggests consumers thirst for vengeance. If a company violates its online policy, 94 percent of Net users want its executives punished – eleven percent even favor jail time.
Internet users may not know all the tricks when it comes to protecting their privacy online, but they know problems when they see them. And if their trust is betrayed, they want vengeance.
In their attitudes, Internet users express considerable fears about a number of problems they might face online. They report, though, that the actual incidence of online problems is not very substantial. Finally, despite those fears, they behave in surprisingly trusting ways in many sensitive online areas. However, those fears cannot be discounted because they do seem to inhibit some groups, especially Internet novices and parents, from participating in some kinds of Internet activities.
Concerns about privacy are notably higher among some groups, especially Internet novices (those who first got online within the past six months), parents, older Americans, and women. In some instances, these fears are associated with lower participation in some online activities, especially commercial and social activities. There is no way to know yet whether these groups will eventually become more comfortable and less fearful in the online world or whether their wariness will permanently limit their use of the Internet until their concerns about protecting personal information are met.