- Invasion of Privacy on the Internet
-
▪ 2001by Jeffrey RosenIn the year 2000 concerns about privacy in cyberspace became an issue of international debate. As reading and writing, health care and shopping, and sex and gossip increasingly took place in cyberspace, citizens around the world seemed concerned that the most intimate details of their daily lives were being monitored, searched, recorded, stored, and often misinterpreted when taken out of context. For many, the greatest threats to privacy came not from state agents but from the architecture of e-commerce itself, which was based, in unprecedented ways, on the recording and exchange of intimate personal information. In 2000 the new threats to privacy were crystallized by the case of DoubleClick, Inc.For a few years DoubleClick, the Internet's largest advertising company, had been compiling detailed information on the browsing habits of millions of World Wide Web users by placing “cookie” files on computer hard drives. Cookies are electronic footprints that allow Web sites and advertising networks to monitor people's on-line movements with telescopic precision—including the search terms people enter as well as the articles they skim and how long they spend skimming them. As long as users were confident that their virtual identities were not being linked to their actual identities, many were happy to accept DoubleClick cookies in exchange for the convenience of navigating the Web more efficiently. Then in November 1999 DoubleClick bought Abacus Direct, which held a database of names, addresses, and information about the off-line buying habits of 90 million households compiled from the largest direct-mail catalogs and retailers in the nation. Two months later DoubleClick began compiling profiles linking individuals' actual names and addresses to Abacus's detailed records of their on-line and off-line purchases. Suddenly, shopping that once seemed anonymous was being archived in personally identifiable dossiers. Under pressure from privacy advocates and dot-com investors, DoubleClick announced in March 2000 that it would postpone its profiling scheme until the U.S. government and the e-commerce industry had agreed on privacy standards. The retreat of DoubleClick might seem like a victory for privacy, but it was only an early battle in a much larger war—one in which many observers expected privacy to be vanquished. “You already have zero privacy—get over it,” Scott McNealy, the CEO of Sun Microsystems, memorably remarked in 1999 in response to a question at a product show at which Sun introduced a new interactive technology called Jini. Sun's cheerful Web site promised to usher in the “networked home” of the future, in which the company's “gateway” software would operate “like a congenial party host inside the home to help consumer appliances communicate intelligently with each other and with outside networks.” In this chatty new world of electronic networking, a household's refrigerator and coffeemaker could talk to a television, and all three could be monitored from the office computer. The incessant information exchanged by these gossiping appliances might, of course, generate detailed records of the most intimate details of their owners' daily lives.New evidence seemed to emerge every day to support McNealy's grim verdict about the triumph of on-line surveillance technology over privacy. A survey of nearly a thousand large companies conducted by the American Management Association in 2000 found that more than half the large American firms surveyed monitored the Internet connections of their employees. Two-thirds of the firms monitored e-mail messages, computer files, or telephone conversations, up from only 35% three years earlier. Some companies used Orwellian computer software with names like Spector, Assentor, or Investigator that originally was available for as little as $99 and could monitor and record every keystroke on the computer with video-like precision. These virtual snoops could also be programmed to screen all incoming and outgoing e-mail for forbidden words and phrases—such as those involving racism, body parts, or the name of the boss—and then forward suspicious messages to a supervisor for review.Changes in the delivery of books, music, and television were extending these technologies of surveillance beyond the office, blurring the boundaries between work and home. Amazon.com was criticized in 1999 for a feature that used postal codes and Internet domain names to identify the most popular books purchased on-line by employees at prominent corporations. In 2000 Amazon created further controversy by changing its privacy policy without warning and announcing that it would no longer permit customers to block the sharing of personal data. The same technologies that made it possible to download digitally stored books, compact discs, and movies directly onto computer hard drives would soon make it possible for publishers and entertainment companies to record and monitor each individual's browsing habits with unsettling specificity. “Snitchware” programs could regulate not only which books an individual read but also how many times he or she read them, charging different royalties on the basis of whether parts of the book were copied or forwarded to a friend. Television, too, was being redesigned to create precise records of viewing habits. A new electronic device known as a personal video recorder made it possible to store up to 30 hours of television programs; it also enabled viewers to skip commercials and to create their own program lineups. One model, TiVo, established viewer profiles that it then used to make viewing suggestions and to record future shows.There was also growing concern about Globally Unique Identifiers, or GUIDs, that made it possible to link every document, e-mail message, and on-line chat room posting with the real-world identity of the individual who created it. In effect, GUIDs are a kind of serial number that can be linked with a person's name and e-mail address when he or she registers on-line for a product or service. In November 1999 RealJukebox, one of the most popular Internet music players, with reportedly 45 million registered users, became a focus of media attention when privacy advocates noted that the player could relay information to its parent company, RealNetworks, about the music each user downloaded, and that this could be matched with a unique identification number that pinpointed the user's identity. RealNetwork insisted that the company had never, in fact, matched the GUIDs with the data about music preferences. Nevertheless, hours after the media outcry began, RealNetworks disabled the GUIDs to avoid a DoubleClick-like public relations debacle. Even some software products such as Microsoft Corp.'s Word 97 and PowerPoint 97 embedded unique identifiers into every document. Soon all documents created electronically might have invisible markings that could be traced back to the author or recipient.Americans increasingly seemed to agree that Congress should save them from the worst excesses of on-line profiling. In a Business Week poll conducted in March, 57% of the respondents said that the government should pass laws regulating how personal information could be collected and used on the Internet. The European Union, for example, adopted the principle that information gathered for one purpose could not be sold or disclosed for another purpose without the consent of the individual concerned. The United States declined to adopt similar protection, even in light of evidence that bankrupt dot-coms, such as Toysmart, were being sold to other companies eager to sell personal data that had been collected on the condition that it not be disclosed. Efforts to pass comprehensive privacy legislation in the U.S. had long been thwarted by a political reality: the beneficiaries of privacy—everyone, in the abstract—were anonymous and diffuse, while the corporate opponents of privacy were well organized and well heeled. For this reason many privacy advocates were putting more emphasis on privacy-enhancing technologies, such as those offered by companies like Montreal-based Zero-Knowledge.com, that made it possible for an individual to cover his or her electronic tracks by, for example, browsing the Web and sending e-mails anonymously or pseudonymously.There is no single solution to the erosion of privacy in cyberspace, no single law that can be proposed or single technology that can be invented to stop the profilers and surveillants in their tracks. The battle for privacy must be fought on many fronts—legal, political, and technological—and each new assault must be vigilantly resisted as it occurs. There is nothing inevitable about the erosion of privacy in cyberspace, just as there is nothing inevitable about its reconstruction. We have the ability to rebuild some of the private spaces we have lost. What we need now is the will.Jeffrey Rosen is an associate professor at the George Washington University Law School and author of The Unwanted Gaze: The Destruction of Privacy in America (Random House, 2000). Part of this report is adopted from his article “The Eroded Self,” which first appeared in The New York Times Magazine.
* * *
Universalium. 2010.