|
|
 THE STAT 26Percentage of wireless customers who use their cell phones to take picturesMore Vitals
| |
JUNE 5, 2002 SPECIAL REPORT: NEW THREATS TO PRIVACY Faceless Snoopers Have the Upper Hand The many post-September 11 surveillance upgrades -- and ever-savvier hackers -- ensure the further erosion of privacy as we knew it It turns out that Fletcher isn't as loony as he sounds: Rogue government intelligence officials are using high-tech listening devices, powerful cameras, computer eavesdropping, and stealth helicopters to track his every move. Luckily for Fletcher, he's played by Mel Gibson, who doesn't die all that often in the movies. With characteristic leading-man determination, a little luck, and the support of a heroine played by Julia Roberts, Fletcher is able save himself and the girl. If only everyone could be assured of such an upbeat result. For years, businesses have kept tabs on anyone who leaves a record of commercial transactions -- and made countless judgments about millions of Americans based on these credit histories. Over the past half-decade, the Internet has made collecting, analyzing, and redistributing this supposedly private information much easier than before. In the wake of September 11, scrutiny of average people has been further heightened, with government, corporate, and airport security being enhanced. EVERYDAY EXPOSURE. On May 29, the FBI took another leap, unilaterally reinstating sweeping surveillance powers that were suspended in the 1960s after the original G-man, J. Edgar Hoover, abused them to spy on civil rights leaders and protestors against the Vietnam War. The FBI got these abilities back despite mounting evidence that it and other U.S. agencies failed to thwart last fall's attacks not for lack of intelligence but because they didn't adequately analyze and act on the information they had. Screw up, it seems, and you get more power.
Hunter isn't alone in proclaiming the end of privacy as we know it. Academics, technical experts, and even government bureaucrats agree that enough information is now in circulation about individual Americans to cause great harm should it fall into the wrong hands. "We're in a privacy war right now, and the barbarians are at the gates," warns Edwin Black, author of the 2001 book IBM and the Holocaust, which charts how the collection and analysis of personal data helped Adolph Hitler identify, round up, and murder more than 6 million Jews during World War II. Adds Howard Beales, director of consumer protection at the Federal Trade Commission (FTC), which regulates how information on consumers is collected and used: "The information is already out there. And it's available to too many people." "I'M EXTREMELY PARANOID." The more you understand about the ways your personal data and communications can be monitored, the more aware you become of how many germs of truth are contained in such fiction as Conspiracy Theory. Take Max Levchin, the 26-year-old chief technology officer of Internet payment service PayPal. A math whiz, Levchin writes software that detects fraud in online payments. Called Igor, his software is so good that the FBI sometimes uses it to help track down cybercrooks. Knowing that others can do what he does, "I'm extremely paranoid," Levchin says. "The possible ways to hurt someone by using his or her data are infinite." So, he takes no chances with his information. Levchin encrypts every e-mail he sends and keeps his encryption keys -- software that unlocks scrambled messages -- on a portable hard drive that he never lets out of his sight. Like many in his field, Levchin is alarmed less by the mere collection of his data than by the difficulty of controlling who has access to it -- or what the agencies are doing with it. Under the FBI's new rules, its investigators are no longer prohibited from monitoring Net communications such as chat rooms and e-mail. And they can do so without a search warrant. IDENTITY THEFT. The bureau will also be permitted to use marketing and demographic information collected by commercial companies to develop leads. This means that if you buy a book about radical Muslim theology at Amazon.com, the FBI could find out about it. They'll also be able to combine that information with your credit history, mortgage information, and -- if you have a gizmo that charges your highway tolls to a credit card -- where you drive and when. And you probably won't have a clue it's happening.
That's why such data is a gold mine for identity thieves -- people who use someone else's information to engage in large fraudulent transactions, such as taking loans in the names of the unsuspecting victims. The FTC received 86,182 complaints of identity theft last year, up from 31,103 a year earlier. Experian's databases weren't hacked, according to spokesman Donald Giraud. The theft appears to have been an inside job. PRIVACY COMPLACENCY. Despite such danger signs, the majority of Americans remain blissfully unaware of -- or at least loath to confront -- the increasing threat to their privacy. When Yahoo! (YHOO ) in March changed its privacy policy so it could send direct-mail solicitations and make telemarketing calls to its tens of millions of registered users, the news made front pages across the country. Yet only one-third of one percent of users abandoned the service, according to Yahoo. The truth is, although consumers swear they value their privacy, for the most part their actions say otherwise. Take Internet service provider Earthlink (ELNK ), which is abandoning a national advertising campaign launched in March that stresses privacy protection for its subscribers. One Earthlink TV spot shows a woman giving a man her phone number in a bar -- after which he sells it to the bartender and another patron, right in front of her. However, recent Earthlink focus groups reveal that while privacy is important to people, it isn't crucial enough to win over new customers. "For some people, privacy is a great differentiator between us and some of the 'other guys,'" says Arley Baker, Earthlink's director of corporate communications. "But it's not the paramount value that we're banking on to sell service." WAITING FOR DISASTER. One explanation may be that the loss of privacy so far hasn't overly disturbed the average American. So what if a Yahoo telemarketer calls you at dinner? It's annoying, but that's about all, many say.
The public may focus on this issue only after a true privacy debacle, experts say. "Advocates of new laws to protect personal privacy are spinning their wheels," declares Stephen Keating, president of Privacy Foundation, a Denver advocacy group. "What they really need is a disaster -- something like a government data spill of millions of citizen records onto the Internet. Or an insurance cabal that denies medical coverage based on genetic predispositions to disease. That's the type of hype that drives public policy." SILENT THREAT. Keating is engaging in hyperbole, of course. No one really wants more privacy tragedies such as the case of Amy Boyer, a 21-year-old New Hampshire woman who was stalked and murdered in 1999 by a man who traced her by using her Social Security number, which he found on the Net. Still, many privacy advocates believe a well-publicized event is the only way to make consumers and policymakers understand that individuals are more at risk than they perceive. "Privacy is a land mine," says David Krane, senior vice-president for public policy research at pollster Harris Interactive. "It threatens silently until someone steps on it. Then, everyone runs around and says we have to do something about it." Where and when a privacy land mine will explode remains unclear. (Many privacy advocates are dismayed that the theft of Experian credit histories hardly raised an alarm.) Until the issue detonates, the steady erosion of privacy is likely to continue. A HOLLOW VICTORY. Take the recent court decision in a contentious case between Hollywood studios and SonicBlue, a manufacturer of digital video recorders. The studios are suing SonicBlue because its device allows customers to skip commercials and send pay-TV programming to friends via the Net -- something the studios claim promotes copyright violation. As part of the discovery process, a magistrate ordered SonicBlue to track what TV shows individual customers recorded and hand over that data to the studios. SonicBlue refused, claiming it would violate customer privacy -- not to mention requiring new, costly software revisions. On June 3, a district court judge in Los Angeles overturned the ruling.
What's the antidote? "People have to take more charge of their information. And, sorry, it's going to be more work than you're used to," says Microsoft's privacy czar, Richard Purcell (see BW Online, 5/23/02, "Microsoft's Privacy Czar on the 'Trust Model'"). OFFLINE AND OBLIVIOUS. The most basic issue people face is figuring out how to manage their own privacy. Research firm Gartner G2, which tracks growth companies, reports that as many as one-third of Americans refuse to shop online because they don't trust companies either to handle their information securely or to refrain from sharing it with others. It apparently never occurs to many of these people that they should be just as concerned about the information they put on paper documents, such as medical records and loan applications -- data that for decades have been gathered and stored in private networks by credit agencies. For most people, figuring out who has their data and what's being done with this information is more than a full-time job. In fact, it may be impossible. The key is to give individuals simple ways to protect themselves or to monitor how their information is being used. While that's easier said than done, technology experts are on the case. At Stanford University, cryptographer Daniel Boneh has developed a convenient way for Net users to encrypt e-mail: by using someone's address as their "public key." "CONVENIENCE IS CRITICAL." Until now, if Jim wanted to send Jill a secure message, he needed Jill's public key -- a long string of numbers that's listed in a public directory on the Net -- to encrypt the message. When Jill received the message, she would "unlock" it using her corresponding private key, which only she has the code for. Under Boneh's plan, introduced on May 30, Jill's public key would be her e-mail address. No need to look anything up anymore. "Convenience is critical to privacy," Boneh says. "The only successful security products are the ones that require zero change in the user experience."
That's a useful effort, but far more needs to be done. The FTC's crackdown on deceptive, unsolicited e-mail doesn't begin to take on the larger privacy issues that are starting to emerge. The FTC doesn't even effectively punish companies that violate their own privacy policies. EASY PICKINGS. Witness the case of drugmaker Eli Lilly, (LLY ), which in June, 2001, revealed to subscribers of a medicine-reminder service the names and e-mail addresses of 669 visitors to its Prozac Web site. On Jan. 18, the FTC settled with Lilly, barring it from misrepresenting its privacy policy and mandating a four-step security plan. Critics say the settlement amounted to a slap on the wrist. "The FTC is shooting fish in a barrel," argues Chris Hoofnagle, the Electronic Privacy Information Center's legislative counsel. He means it's tackling narrow, easy issues such as deceptive e-mail, instead of sweeping, complex ones such as how much access individuals should be guaranteed to view data that has been collected on them -- and then contest or correct it. The issue becomes even more complex when it's the FBI that's watching. Law-enforcement officials argue that new powers of surveillance are a necessity to prevent another terrorist attack, a claim that's difficult, at least politically, to dismiss. The key, then, is demanding tough, independent oversight of law-enforcement officials, just as the Securities & Exchange Commission oversees multinational corporations. "GET OVER IT"? One idea is to create an independent U.S. inspector general to watch the watchers. "Today, the inspectors in each Cabinet department report -- and owe their jobs -- to the people they are supposed to watch," says privacy advocate and author David Brin. "We need more accountability." Of course, some folks argue that it's too late to reign in surveillance. Scott McNealy, the brash CEO of Sun Microsystems, was quoted several years ago as saying: "You have zero privacy anyway. Get over it." That's certainly a practical view, though one most suited for a world where the biggest threat most people face thanks to their loss of privacy is a surfeit of junk mail. A world of covert snooping, in which life-and-death inferences could be made from information that may not even be accurate, is an entirely different matter. For now, such doomsday scenarios remain conspiracy theories. But remember: A kernel of truth is probably at the heart of every one.  By Jane Black in New York Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | JUNE |
 Copyright 2002 , by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version