Tuesday, October 13, 2009

None of your business: Privacy

Do you have a secret? Have you ever lied? Are there certain
things you don't want your parents to know? How about your friends?
How would you feel if in twenty years, in the midst of a successful career,
someone told your boss that once, when you were 17, you tried some pot
at a party. Or that you are gay or have AIDS. What if they
got this information from an e-mail that you fully expected would not go
beyond yourself and the recipient, but was intercepted and posted on a
web page? That would be an unfair violation of your privacy.

While the Constitution does not literally guarantee your right to privacy,
over the past 223-odd years the Supreme Court has granted privacy protections
under, most notably, the Fifth Amendment's protection for self-incrimination
and the Fourth Amendments protection from unreasonable search and seizure
(Privacy Basics)
Fair
Information Practices
have been loosely followed by government and
industry. These are not laws - they are a set of industry ethics.
A generic
copy
of these policies states that practices should be open, individuals
maintain the right to know and see what data is being collected from them,
data collection should be limited, specific, and secure, and that data
collectors will be responsible for the use of the information.


To discuss online privacy, there are a couple basic definitions to take
into account. I'm sure that no matter how little time you have spent
online, you have been asked if you would like to accept a cookie, or told
that a cookie has been sent. Well, of course,
you think at first. Mmmmm....cookie. Unfortunately, cookies
are not quite that tangible nor delectable. A cookie
is a piece of data that a web site collects about you when you visit (Cookie
Central,
Cookies).
The data varies with the web site - a commercial web site will collect
demographics
(that is, sex, age, and other advertising information) to learn more about
you, while an e-mail service may collect identifying
or personal (name, mailing address) information
to recognize you. Cookies allow a web site to be tailor made for
you as long as you stay in that domain name or each time you visit.
An CGI or JavaScript code in the beginning of the web page you visit instructs
you browser to send certain information to a server. If you have
ever checked a box saying "Remember My Password", you have set a cookie.

There are two aspects of privacy online. One is a need for protection
for yourself. Online stalking has been a problem, with people harassing
new 'friends' online and sometimes even threatening them, or confronting
them in person. The second is a need to protect your data from strangers.
This comes not from the fear of physical, but financial harm. The
first is the fear of being mugged on the way down to the mail box, and
the second is the fear of being mugged on the way back, while carrying
your paycheck and credit card bill.

The Communication Decency Act (CDA, see also section How
Obscene!: The Plot Thickens
) stated that telecommunications,
meaning the internet, e-mail, chat and chat programs (including IRC, AIM,
and ICQ) should not be used to purposely harass or intimidate. You
cannot e-mail bomb people. Also, under the law you must identify
yourself. This part of the CDA was unaffected by the Supreme Court
decision regarding obscenity clauses.

There are three levels
of online privacy provided by systems administrators (admin), like the
guy in the back room at school or AOL monitors. (Bowman, What
Is Privacy?
). The first is Complete Privacy. Here, the
admin agrees not to read any of your e-mail or keep track of where you
go on the web in any way. This obviously allows the most privacy,
but often creates a liability to admins and Internet Service Providers
(ISP). The second level is Almost Complete Privacy. Here admins
will look at your e-mails and chats if they suspect any sort of illegal
activity. The third level is No Privacy. Here admins are allowed
to look at any email you send, whether the subject is "My Plan To Plunge
The Internet Into Darkness" or "My Rave With Dave".

Your privacy is protected by some laws already. The Electronic
Communcations Privacy Act, created in the late 70's in response to the
Watergate scandal, already protects against interception of electronically
transmitted messages as well as the privacy of information stored within
a private computer system (Bowman, What
Is The Electronic Communications Privacy Act ("ECPA")
). But in
March of 1992, the FBI suggested that all communications be designed so
that law enforcement agents could tap into them from afar (Cranor, Digital
Liberties
). This would have made e-mail, the internet, chat rooms,
and even ISPs vulnerable to be intercepted at any time. Opponents
claimed that the first version of the bill gave the FBI privileges it had
not been afforded in older wiretapping laws. The FBI worked with
Senator Patrick Leahy (D-VT) and Representative Don Edwards (D-CA) to refine
a new bill (Edwards/Leahy
Digital Telephony Legisl
ation (HR 4922/S 2375)), which was passed almost
unanimously into law. ISPs were now exempt from the law. Some
considered this a failure, but most agreed that the protection afforded
to ISPs was a victory or at least a good compromise. However, this
simply makes intercepting data illegal. It does not make it impossible.

A recent survey by the Georgetown
Business School
states that 93% of commercial internet sites collect
some sort of data that may be used to identify your (this may be your home
address, you e-mail address, name, etc.) and 57% collect demographics. Over
one third of these sites did not post any information that they were collecting
data and/or what it would be used for. The report concluded that
only 10% of the commercial web sites that collected personal or demographic
information followed fair information practices in respect to notice, choice,
access, security and contact information. The Center for Democracy
and Technology believes that "the study shows that definite progress
has been made in making many more Web sites privacy sensitive. But those
numbers also show that real fair information practices are incorporated
by only a small number of sites and most sites have yet to embody more
than minimum disclosure of their information practices."




Last revised: 7/23/99


No comments: