INVASION OF PRIVACY
By JOSHUA QUITTNER
For the longest time, I couldn't get worked up about privacy: my right to it; how it's dying; how we're headed for an even more wired, underregulated, overintrusive, privacy-deprived planet.
I mean, I probably have more reason to think about this stuff than the average John Q. All Too Public. A few years ago, for instance, after I applied for a credit card at a consumer-electronics store, somebody got hold of my name and vital numbers and used them to get a duplicate card. That somebody ran up a $3,000 bill, but the nice lady from the fraud division of the credit-card company took care of it with steely digital dispatch. (I filed a short report over the phone. I never lost a cent. The end.)
I also hang out online a lot, and now and then on the Net someone will impersonate me, spoofing my E-mail address or posting stupid stuff to bulletin boards or behaving in a frightfully un-Quittner-like manner in chat parlors from here to Bianca's Smut Shack. It's annoying, I suppose. But in the end, the faux Quittners get bored and disappear. My reputation, such as it is, survives.
I should also point out that as news director for Pathfinder, Time Inc.'s mega info mall, and a guy who makes his living on the Web, I know better than most people that we're hurtling toward an even more intrusive world. We're all being watched by computers whenever we visit Websites; by the mere act of "browsing" (it sounds so passive!) we're going public in a way that was unimaginable a decade ago. I know this because I'm a watcher too. When people come to my Website, without ever knowing their names, I can peer over their shoulders, recording what they look at, timing how long they stay on a particular page, following them around Pathfinder's sprawling offerings.
None of this would bother me in the least, I suspect, if a few years ago, my phone, like Marley's ghost, hadn't given me a glimpse of the nightmares to come. On Thanksgiving weekend in 1995, someone (presumably a critic of a book my wife and I had just written about computer hackers) forwarded my home telephone number to an out-of-state answering machine, where unsuspecting callers trying to reach me heard a male voice identify himself as me and say some extremely rude things. Then, with typical hacker aplomb, the prankster asked people to leave their messages (which to my surprise many callers, including my mother, did). This went on for several days until my wife and I figured out that something was wrong ("Hey...why hasn't the phone rung since Wednesday?") and got our phone service restored.
It seemed funny at first, and it gave us a swell story to tell on our book tour. But the interloper who seized our telephone line continued to hit us even after the tour ended. And hit us again and again for the next six months. The phone company seemed powerless. Its security folks moved us to one unlisted number after another, half a dozen times. They put special pin codes in place. They put traces on the line. But the troublemaker kept breaking through.
If our hacker had been truly evil and omnipotent as only fictional movie hackers are, there would probably have been even worse ways he could have threatened my privacy. He could have sabotaged my credit rating. He could have eavesdropped on my telephone conversations or siphoned off my E-mail. He could have called in my mortgage, discontinued my health insurance or obliterated my Social Security number. Like Sandra Bullock in The Net, I could have been a digital untouchable, wandering the planet without a connection to the rest of humanity. (Although if I didn't have to pay back school loans, it might be worth it. Just a thought.)
Still, I remember feeling violated at the time and as powerless as a minnow in a flash flood. Someone was invading my private space--my family's private space--and there was nothing I or the authorities could do. It was as close to a technological epiphany as I have ever been. And as I watched my personal digital hell unfold, it struck me that our privacy--mine and yours--has already disappeared, not in one Big Brotherly blitzkrieg but in Little Brotherly moments, bit by bit.
Losing control of your telephone, of course, is the least of it. After all, most of us voluntarily give out our phone number and address when we allow ourselves to be listed in the White Pages. Most of us go a lot further than that. We register our whereabouts whenever we put a bank card in an ATM machine or drive through an E-Z Pass lane on the highway. We submit to being photographed every day--20 times a day on average if you live or work in New York City--by surveillance cameras. We make public our interests and our purchasing habits every time we shop by mail order or visit a commercial Website.
I don't know about you, but I do all this willingly because I appreciate what I get in return: the security of a safe parking lot, the convenience of cash when I need it, the improved service of mail-order houses that know me well enough to send me catalogs of stuff that interests me. And while I know we're supposed to feel just awful about giving up our vaunted privacy, I suspect (based on what the pollsters say) that you're as ambivalent about it as I am.
Popular culture shines its klieg lights on the most intimate corners of our lives, and most of us play right along. If all we really wanted was to be left alone, explain the lasting popularity of Oprah and Sally and Ricki tell-all TV. Memoirs top the best-seller lists, with books about incest and insanity and illness leading the way. Perfect strangers at cocktail parties tell me the most disturbing details of their abusive upbringings. Why?
"It's a very schizophrenic time," says Sherry Turkle, professor of sociology at the Massachusetts Institute of Technology, who writes books about how computers and online communication are transforming society. She believes our culture is undergoing a kind of mass identity crisis, trying to hang on to a sense of privacy and intimacy in a global village of tens of millions. "We have very unstable notions about the boundaries of the individual," she says.
If things seem crazy now, think how much crazier they will be when everybody is as wired as I am. We're in the midst of a global interconnection that is happening much faster than electrification did a century ago and is expected to have consequences at least as profound. What would happen if all the information stored on the world's computers were accessible via the Internet to anyone? Who would own it? Who would control it? Who would protect it from abuse?
Small-scale privacy atrocities take place every day. Ask Dr. Denise Nagel, executive director of the National Coalition for Patient Rights, about medical privacy, for example, and she rattles off a list of abuses that would make Big Brother blush. She talks about how two years ago, a convicted child rapist working as a technician in a Boston hospital riffled through 1,000 computerized records looking for potential victims (and was caught when the father of a nine-year-old girl used caller ID to trace the call back to the hospital). How a banker on Maryland's state health commission pulled up a list of cancer patients, cross-checked it against the names of his bank's customers and revoked the loans of the matches. How Sara Lee bakeries planned to collaborate with Lovelace Health Systems, a subsidiary of Cigna, to match employee health records with work-performance reports to find workers who might benefit from antidepressants.
Not to pick on Sara Lee. At least a third of all FORTUNE 500 companies regularly review health information before making hiring decisions. And that's nothing compared with what awaits us when employers and insurance companies start testing our DNA for possible imperfections. Farfetched? More than 200 subjects in a case study published last January in the journal Science and Engineering Ethics reported that they had been discriminated against as a result of genetic testing. None of them were actually sick, but DNA analysis suggested that they might become sick someday. "The technology is getting ahead of our ethics," says Nagel, and the Clinton Administration clearly agrees. It is about to propose a federal law that would protect medical and health-insurance records from such abuses.
But how did we arrive at this point, where so much about what we do and own and think is an open book?
It all started in the 1950s, when, in order to administer Social Security funds, the U.S. government began entering records on big mainframe computers, using nine-digit identification numbers as data points. Then, even more than today, the citizenry instinctively loathed the computer and its injunctions against folding, spindling and mutilating. We were not numbers! We were human beings! These fears came to a head in the late 1960s, recalls Alan Westin, a retired Columbia University professor who publishes a quarterly report Privacy and American Business. "The techniques of intrusion and data surveillance had overcome the weak law and social mores that we had built up in the pre-World War II era," says Westin.
The public rebelled, and Congress took up the question of how much the government and private companies should be permitted to know about us. A privacy bill of rights was drafted. "What we did," says Westin, "was to basically redefine what we meant by 'reasonable expectations of privacy'"--a guarantee, by the way, that comes from the Supreme Court and not from any constitutional "right to privacy."
The result was a flurry of new legislation that clarified and defined consumer and citizen rights. The first Fair Credit Reporting Act, passed in 1970, overhauled what had once been a secret, unregulated industry with no provisions for due process. The new law gave consumers the right to know what was in their credit files and to demand corrections. Other financial and health privacy acts followed, although to this day no federal law protects the confidentiality of medical records.
As Westin sees it, the public and private sectors took two very different approaches. Congress passed legislation requiring that the government tell citizens what records it keeps on them while insisting that the information itself not be released unless required by law. The private sector responded by letting each industry--credit-card companies, banking, insurance, marketing, advertising--create its own guidelines.
That approach worked--to a point. And that point came when mainframes started giving way to desktop computers. In the old days, information stored in government databases was relatively inaccessible. Now, however, with PCs on every desktop linked to office networks and then to the Internet, data that were once carefully hidden may be only a few keystrokes away.
Suddenly someone could run motor-vehicle-registration records against voting registrations to find 6-ft.-tall Republicans who were arrested during the past year for drunk driving--and who own a gun. The genie was not only out of the bottle, he was also peering into everyone's bedroom window. (Except the windows of the very rich, who can afford to screen themselves.)
"Most people would be astounded to know what's out there," says Carole Lane, author of Naked in Cyberspace: How to Find Personal Information Online. "In a few hours, sitting at my computer, beginning with no more than your name and address, I can find out what you do for a living, the names and ages of your spouse and children, what kind of car you drive, the value of your house and how much taxes you pay on it."
Lane is a member of a new trade: paid Internet searcher, which already has its own professional group, the Association of Independent Information Professionals. Her career has given her a fresh appreciation for what's going on. "Real privacy as we've known it," she says, "is fleeting."
Now, there are plenty of things you could do to protect yourself. You could get an unlisted telephone number, as I was forced to do. You could cut up your credit card and pay cash for everything. You could rip your E-Z Pass off the windshield and use quarters at tolls. You could refuse to divulge your Social Security number except for Social Security purposes, which is all that the law requires. You'd be surprised how often you're asked to provide it by people who have no right to see it.
That might make your life a bit less comfortable, of course. As in the case of Bob Bruen, who went into a barbershop in Watertown, Mass., recently. "When I was asked for my phone number, I refused to give them the last four digits," Bruen says. "I was also asked for my name, and I also refused. The girl at the counter called her supervisor, who told me I could not get a haircut in their shop." Why? The barbershop uses a computer to record all transactions. Bruen went elsewhere to get his locks shorn.
But can we do that all the time? Only the Unabomber would seriously suggest that we cut all ties to the wired world. The computer and its spreading networks convey status and bring opportunity. They empower us. They allow an information economy to thrive and grow. They make life easier. Hence the dilemma.
The real problem, says Kevin Kelly, executive editor of Wired magazine, is that although we say we value our privacy, what we really want is something very different: "We think that privacy is about information, but it's not--it's about relationships." The way Kelly sees it, there was no privacy in the traditional village or small town; everyone knew everyone else's secrets. And that was comfortable. I knew about you, and you knew about me. "There was a symmetry to the knowledge," he says. "What's gone out of whack is we don't know who knows about us anymore. Privacy has become asymmetrical."
The trick, says Kelly, is to restore that balance. And not surprisingly, he and others point out that what technology has taken, technology can restore. Take the problem of "magic cookies"--those little bits of code most Websites use to track visitors. We set up a system at Pathfinder in which, when you visit our site, we drop a cookie into the basket of your browser that tags you like a rare bird. We use that cookie in place of your name, which, needless to say, we never know. If you look up a weather report by keying in a zip code, we note that (it tells us where you live or maybe where you wish you lived). We'll mark down whether you look up stock quotes (though we draw the line at capturing the symbols of the specific stocks you follow). If you come to the Netly News, we'll record your interest in technology. Then, the next time you visit, we might serve up an ad for a modem or an online brokerage firm or a restaurant in Akron, Ohio, depending on what we've managed to glean about you.
Some people find the whole process offensive. "Cookies represent a way of watching consumers without their consent, and that is a fairly frightening phenomenon," says Nick Grouf, CEO of Firefly, a Boston company that makes software offering an alternative approach to profiling, known as "intelligent agents."
Privacy advocates like Grouf--as well as the two companies that control the online browser market, Microsoft and Netscape--say the answer to the cookie monster is something they call the Open Profiling Standard. The idea is to allow the computer user to create an electronic "passport" that identifies him to online marketers without revealing his name. The user tailors the passport to his own interests, so if he is passionate about fly-fishing and is cruising through L.L. Bean's Website, the passport will steer the electronic-catalog copy toward fishing gear instead of, say, Rollerblades.
The advantage to computer users is that they can decide how much information they want to reveal while limiting their exposure to intrusive marketing techniques. The advantage to Website entrepreneurs is that they learn about their customers' tastes without intruding on their privacy.
Many online consumers, however, are skittish about leaving any footprints in cyberspace. Susan Scott, executive director of TRUSTe, a firm based in Palo Alto, Calif., that rates Websites according to the level of privacy they afford, says a survey her company sponsored found that 41% of respondents would quit a Web page rather than reveal any personal information about themselves. About 25% said when they do volunteer information, they lie. "The users want access, but they don't want to get correspondence back," she says.
But worse things may already be happening to their E-mail. Many office electronic-mail systems warn users that the employer reserves the right to monitor their E-mail. In October software will be available to Wall Street firms that can automatically monitor correspondence between brokers and clients through an artificial-intelligence program that scans for evidence of securities violations.
"Technology has outpaced law," says Marc Rotenberg, director of the Washington-based Electronic Privacy Information Center. Rotenberg advocates protecting the privacy of E-mail by encrypting it with secret codes so powerful that even the National Security Agency's supercomputers would have a hard time cracking it. Such codes are legal within the U.S. but cannot be used abroad--where terrorists might use them to protect their secrets--without violating U.S. export laws. The battle between the Clinton Administration and the computer industry over encryption export policy has been raging for six years without resolution, a situation that is making it hard to do business on the Net and is clearly starting to fray some nerves. "The future is in electronic commerce," says Ira Magaziner, Clinton's point man on Net issues. All that's holding it up is "this privacy thing."
Rotenberg thinks we need a new government agency--a privacy agency--to sort out the issues. "We need new legal protections," he says, "to enforce the privacy act, to keep federal agencies in line, to act as a spokesperson for the Federal Government and to act on behalf of privacy interests."
Wired's Kelly disagrees. "A federal privacy agency would be disastrous! The answer to the whole privacy question is more knowledge," he says. "More knowledge about who's watching you. More knowledge about the information that flows between us--particularly the meta information about who knows what and where it's going."
I'm with Kelly. The only guys who insist on perfect privacy are hermits like the Unabomber. I don't want to be cut off from the world. I have nothing to hide. I just want some measure of control over what people know about me. I want to have my magic cookie and eat it too.
--With reporting by William Dowell and Noah Robischon/New York and Declan McCullagh and Bruce van Voorst/Washington
With reporting by WILLIAM DOWELL AND NOAH ROBISCHON/NEW YORK AND DECLAN MCCULLAGH AND BRUCE VAN VOORST/WASHINGTON