Software And The Death of Privacy

Supreme Court Justice William O. Douglas once wrote that the right to be left alone is the beginning of all freedom. That's bad news, because privacy as we've come to understand the idea is over, and tracking software -- now widely deployed on the Web and in businesses from banking to supermarkets -- helped to kill it.

"I am not the first to point out that capitalism, having defeated communism, now seems about to do the same to democracy. The market is doing splendidly, yet we are not."

--- Ian Frazier, "On the Rez."

All week, we visit Web sites, Weblogs, mailing lists; we download software, buy books, check out movie reviews, visit news sites, order vitamins and DVDs; download MP3s; go to chat rooms; check in on ICQ, AIM. Each time, some program is tracking our every move, compiling elaborate marketing profiles, often collating the information with vast databases and selling the resulting information without our knowledge.

Privacy, as most of us have come to understand the idea, is over.

Except to the Unabomber or to a handful of Luddites living in the desert, the idea that we can keep our personal, financial and other information from corporations and governments is as outdated as the idea that the movie industry can jail all the people helping themselves to DeCSS software.

A growing array of software makes much of our individual behavior trackable - what we buy, what we read, where we visit, how we get our information. Companies that produce and deliver banner ads can track your clicks from site to site across the Web. They can cross-reference your personal ID with records listing your name, address, telephone number, e-mail, purchasing and browsing habits.

Amazon.com has pioneered recognition software programs that compile individuals' tastes and choices over time, a technology that's been adopted by supermarkets and hardware stores, who recognize us the minute they swipe our credit cards or take our telephone numbers.

ISPs (like AOL) and portals and search engines can record which chat rooms you enter, what news pages you read, what pages you've bookmarked.

Most Americans have no idea that marketers can store their user IDs in cookie files and track their movements so precisely and comprehensively. Were a government to attempt this, politicians and civil libertarians would explode in righteous fury. But when done this gradually, technologically, out of sight and in incremental, software-driven steps, it simply creates an astonishing new social reality: Those of us who go online regularly (this year, that will be more than 130 million people) no longer have a voluntarily zone of privacy.

None of us any longer has any clear idea just how much personal information about us has been gathered, or who might have acquired or stored it. Nor is it possible to imagine all the future circumstances - applying for jobs, graduate school or government grants; fending off a lawsuit, running for political office; tangling with a law enforcement agency or court - in which this information might haunt us or be wielded against us. In the name of marketing and writing cool software, we've voluntarily surrendered one of the most important human rights. (See USA Today story on DoubleClick, Web-tracking and Slashdot.)

No national politician has made the death of privacy a major political issue, nor is any congressional committee investigating it. The truth is, it's no longer an issue; privacy in the traditional sense doesn't exist anymore. In a world where we're all increasingly dependent on networked computing for work, banking, music, movies, research and personal communications, it's unlikely ever to return.

Privacy has historically been considered a fundamental element of individual liberty. Thomas Jefferson argued repeatedly that privacy from governmental or other intrusion into personal lives (he had British soldiers in mind) was a basic human right. Supreme Court Justice William O. Douglas wrote that "the right to be left alone is the beginning of all freedom." Said political philosopher Jean Cohen: "A constitutionally protected right to privacy is indispensable to any modern conception of freedom."

The death of privacy has been so relentless, indirect and unintended, however, as to have gone virtually unnoticed. Reporters routinely pry into the most intimate details of the lives of public figures. Computers were collecting personal data on individuals even before the Net and the Web. Spy satellites overhead collect pinpoint photographs; government technicians pull cell and wireless calls out of the air; and police forces can even trace our auto trips as we pass through digitalized toll booths.

Since the use of the Net and Web is, increasingly, no longer an option but a necessity, we surrender our privacy --- usually unknowingly. Every time we go online, some marketer learns a bit more about us or our families.

According to the Interagency Financial Institution Web Site Privacy Survey, conducted by the Federal Deposit Insurance Corporation (FDIC), all of the 50 largest financial institutions online collect three or more pieces of personal or demographic information about users. The FDIC says that only eight of the 50 largest institutions meet minimal privacy data standards. That is, they fail to explain what data is being collected, allow consumers to opt out, permit access to the information, provide secure storage for the data, and provide customers a way to contact the company regarding privacy issues.

Last week, American Demographics magazine reported that new "data-mining" tools being deployed in food markets are promising to track frequent-shopper behavior both in and out of the store. The magazine reported that 46% of Americans now "swipe and save", that is, they use frequent shopper cards and programs. These digital cards are used to store customer gender, identify and age, and preferences in everything from hygiene products to junk food. They are then sold or traded for information from databases gathered by other businesses. In this way, companies can gather increasingly detailed portraits of almost everyone who uses a bank, credit or other money card, all now digitalized.

In his book "Code; and Other Laws of Cyberspace," Harvard Law Professor Lawrence Lessig argues that the Internet will be regulated shortly, but not in the way we've feared. "Left to itself, cyberspace will become a perfect tool of control, not by the government, but by software programmers helping to track our every move."

Important aspects of privacy will be erased, he warns. Password - driven software will one day demand payment for every individual reader action, from copying a paragraph to reading something more than once. Free browsing, sharing and quoting from online works will be eliminated. This will also, Lessig warns, inhibit free speech. Once Net users realize that companies like America Online can trace their movements and tailor on-screen advertising to match their habits, people will increasingly be conscious of what they say and where they say it.

If so, the future Lessig foresees will catch most Netizens (including this one) off-guard, especially the belief that copyright and intellectual property can't really be preserved as the Net and the Web grow. We haven't come to grips with the idea that the technologies most of us see as liberating are destroying our privacy.

With the collapse of Communism, which featured powerful stage agencies like the KGB and the Stasi which gathered vast amounts of personal data on citizens, the idea of brutally repressive political systems already seems remote. For better or worse, national politicians in the United States bitterly compete with one another to see who can define government in the cheapest and narrowest way. Marketers are taking advantage of this comparatively benign political period to take until-recently unimaginable liberties with our personal freedoms. So far, the corporations collecting this information have seemed relatively discreet, especially compared to brutal governments. If you pay careful attention to the Spam you get online, it's sometimes possible to see who's collecting just what kind of information about you.

And increasingly, even these image-conscious companies show their teeth. Free music sites are being shut down; a Norwegian teenager gets hauled off to the police station for allegedly violating restrictions on DVD programming code.

As for governments, the geeks and nerds who've grown up on the Net have encountered almost comically clueless ones. When it comes to repression - as in the Communications Decency Acts and Congressional votes requiring the Ten Commandments in schools - our government has been about as knowing and menacing as the Three Stooges. It's easy to understand why people struggle to take it seriously. But that hasn't always been the case. Personal privacy is a monumental safeguard against abuse of governmental authority. The distance between corporate and government computers is a very short one.

For a malevolent government - the kind Jefferson worried about, and the reason the Bill of Rights was crafted in the first place - it would be radically simple to figure out who the "troublemakers" are, what forbidden books they bought, or what politically unacceptable movies they viewed (they wouldn't have to go much further than AOL/Time-Warner). Access to this kind of information ought not be passed around among corporations. If citizens wish to give up their privacy, they obviously have the right to do so. But they ought to be given a choice. Shockingly, it's already too late for that.

This issue now permeates almost every level of American society. In the name or preventing violence, schools use computer software programs to gather information on potentially "violent" students, kids that teachers find disturbing or alarming. No one knows where this data goes - presumably to law enforcement authorities, where it remains in secret digital files for life.

The tragedy of technology is that we refuse, as a society, to consider its implications, from fertility drugs and genetic research to artificial intelligence to supercomputing.

While our political, educational and media institutions focus obsessively on exaggerated or meaningless issues like the spread of sexual imagery, or invoke the undocumented specter of media violence, larger and more fundamental issues like the loss of privacy go largely undiscussed.

Thus hard-won values slip away without much national discussion or debate. This genie is probably never going back into the bottle. Given the epidemic spread of data-tracking software, it's hard to imagine we'll ever have "the right to be left alone" again.

The Death Of Privacy

[jd]

Reminds me of the *cough* announcement of the death of Samuel Clemens (Mark Twain).

Premature, for sound-bite effect.

Privacy CAN exist on the Internet, as it stands. It's very, very easy.

1. Use an IPv6-capable browser, pointing to an IPv6/IPv4 web proxy/cache. Any "snoop" software will either record the address of the proxy (not you), or buffer-overflow on the longer addresses and explode.
2. Use PGP or GPG for E-mail. DON'T SEND TEXT IN THE CLEAR!
3. Use SSH, NEVER RSH or Telnet. Same reason as above, DOUBLY SO for passwords.
4. Use the 6Bone to carry connections, whenever possible. It'll mangle conventional tracking systems.
5. Use IPSec, whenever possible. Market Researchers can sniff web surfers just as easily as crackers.
6. Use dynamic IP allocation, where possible. Makes it harder to correlate data.
7. NEVER, EVER click on a banner advert, unless you trust the originating site AND the destination site AND the company hosting the adverts.
8. NEVER, EVER reply to spam. It tells marketers which e-mail addresses are active. Forward it to administrators and/or a lawyer, depending on where you are.
9. Install Intruder Detection software. If any software is sending data you haven't authorised, or sites are talking with your computer without your consent, you need to know about it.
10. Move those financial accounts you can to European banks in countries with STRICTLY ENFORCED privacy laws. That won't give you 100% protection, but a fence with "Keep Out" signs is still better than no fence, a paved road, and "Companies Welcome" signs, pointing to all your financial data.
11. Use anonymous remailers and anonymous web proxies where practical. Remember, though, that these get raided daily by police, and that useful data can get "accidently" leaked to interested parties, such as multi-national stores and mega corporations. Therefore, if you use them, be careful.
12. There's absolutely NOTHING to stop Linux users setting their machine up as a router, injecting a false route to a non-existant IP address, which your computer merely happens to "route". All you need then is a means of sniffing packets going to this ficticious computer, and injecting packets with false headers. Market researchers can snoop all they like, then, but there's no way of locating a computer that doesn't exist.

Related sources for hard facts

[dsplat]

The Risks Digest frequently covers issues related to this. The latest issue contains a brief comment on Simson Garfinkel's new book, Database Nation: The Death of Privacy in the 21st Century published by O'Reilly & Associates. The PRIVACY Forum is also an excellent resource on issues of privacy and technology.

Privacy, Technology, Freedom state of the union...

[Some+Id10t]

First off, complete privacy and complete freedom are mutually exclusive. Every idealist wants the freedom to do whatever they want, the privacy for no one to know about it, and security from everyone else. Is it not blatenly obvious to everyone how impossible this formula is?

You can either have
(1) Freedom to do whatever you want, subject to the visibility and scrutiny of others (no privacy)

(2) Freedom to do whatever you want in complete privacy, with the risk of people using the combination to commit crime and take advatange of you
or
(3) No freedom whatsoever, total privacy, and total security. (Anyone caught doing something wrong is punished)

For those of you who say learn the technology tell me you already knew about the Reliant Digital Intercept System being sold to law enforement agencies by Comverse Infosys. This thing has the ability to monitor multiple simultaneous voice conversations and automatically flag and record only "interesting" calls, based on voice recognition and pattern matching. Pretty scary!

Just my $.02...