2.12 Online Privacy

Personal information is not merely a person's name, address and Social Security number, but his or her shopping habits, driving record, medical diagnoses, work history, credit score, political affiliation, vacations, social contacts, educational record and more. The right to privacy refers to control over this personal data: who can acquire, keep, access and process this information.

Privacy is an inherent human right, namely to be free of surveillance from other individuals, organizations and/or the state.

To the disquiet of many {1} {15} {20} {21} {22} {26} {27} {49}, privacy is under increased threat today, with the Internet greatly facilitating the collection, storage and analysis of personal data. {51} {52} {53} {54} {58} {71} Realists of the Mortengau school will see this as the usual devil's bargain, the price paid by companies and individuals for wider access to information.

1. Federal, state and local governments collect personal information in pursuance of their duties, and that information is accessible to law enforcement agencies through several pieces of legislation: Communications Assistance for Law Enforcement Act, the USA Patriot Act and the Homeland Security Act, in many instances without judicial oversight. {2} {4} {5} {25} {64} Similar information is protected in Europe under more stringent Data Protection Acts, but can be accessed by tax and law enforcement officers and/or for reasons of 'state security'. {3} {6}

2. Similar information, often very detailed, noting interests, social preferences and purchase histories is routinely collected by:

a. Shopping carts: merchant must keep this information safe, but may use it for marketing purposes (as does Amazon in making book suggestions) or sell it on to third parties.
b. Search engines: government requests that browsing information be stored by ISPs and made available to courts and law enforcement agencies has met with mixed success. {7} {53} {54}
c. Spyware: inadvertently downloaded, such programs can collect passwords, security codes, browsing histories, etc.
d. Social media: personal data can be sold or made available to third parties, {8} {23} usually advertisers but potentially to criminal elements.
e. Cookies and supercookies that track and profile Internet users. Some can be avoided by setting the browser security controls higher, but five new types evade such controls and are difficult to remove. {9}
f. Web bugs that track advertising campaigns. {52}
g. Advertising networks that track individuals across the Internet (e.g. Clickstream) can sell that information to advertisers. {10}
h Service suppliers like Google collect information, either for their own use or to be sold for marketing purposes.
i. Forms: email addresses and profiles collected to receive some report or benefit can be sold on, or linked to advertising networks.
j. Deep Packet Inspection: networking technology that ISPs install to monitor customers' data {11} {12}: used to target advertising and terrorist activity. {25} {54}
k. Server traffic logs: routinely saved by ISPs and therefore available for analysis: who visited what pages when, etc.
l. Internet Payment Service Providers: detailed customer information (often including bank accounts) becomes available to third parties if security is breached (or some parts sold on).
m. Trusted computing environments: restrict viewing of sensitive material but also store user information for identification purposes. {13}.
n. Email addressing harvesting software (e.g. Atomic Email Hunter) that collects email addresses, owner's names and interests for subsequent email marketing. {14}
o. Companies providing a background check on individuals (e.g. PeopleSearch and WhoWhere) {16}

Such information becomes more valuable when combined. A travel company offering snorkeling holidays in Thailand would be interested in subscribers to a diving magazine who also browsed web pages on holidays in the country. The security services would be failing in their duties if they did not look more closely at someone in email correspondence with animal liberation groups who started researching bomb-making equipment on the Internet.

Privacy Legislation

Broadly speaking, privacy is enshrined by legislation in Europe, but left for individuals to sue for violations in the USA. {5} Nonetheless, most countries have extensive legislation in place. {17} {18} {19} {24} {41} {42}

USA:

Felony: to use a computer to commit fraud, to maliciously access a computer without authorization, and to damage, copy, or remove files.
Misdemeanor: to use a computer to examine private files without authorization.

Computer Fraud and Abuse Act (CFAA): 1986

Felony: unauthorized access to a Federal computer system with the intent to steal or commit fraud or inflict malicious damage.
Misdemeanor: to traffic in passwords.

Electronic Communications Privacy Act: 1986

Electronic communications are private. Unauthorized access to and disclosure of private communications is unlawful.

Communications Assistance for Law Enforcement Act (CALEA) : 1994

Law enforcement and intelligence agencies can conduct electronic surveillance.

Freedom of Information Act: 1996

Guaranteed access to data held by the state. Nine exemptions apply, including state security, commercially sensitive information, medical records, etc.

Communications Decency Act (CDA): 1996 (Overturned in 1997)

Felony: to transmit obscene or offensive material over the Internet.

Web Copyright Law: 1997

Infringement of copyright-protected material valued at least $1000 can be prosecuted, even if there is no profit from the crime. Penalties are heavy.

Child Online Protection Act (COPA): 1998

Federal crime: to transmit material that is harmful to children over the Internet for commercial purposes.

Digital Millennium Copyright Act: 1998

New rules, safeguards and penalties for downloading, sharing, and viewing copyrighted material online.

Gramm-Leach-Bliley Act: 1999

Authorized widespread sharing of personal information by financial institutions such as banks, insurers, and investment companies.

Safety and Freedom through Encryption (SAFE) Act: 2000

Relaxed US export controls on encryption.

Patriot Act: 2001

Drastically increased federal police investigatory powers, including the right to intercept email and track Internet usage.

Homeland Security Act: 2002

Centralized federal security functions to meet post-cold war threats and challenges.

Intelligence Reform and Terrorism Prevention Act: 2004

Promoted a culture of information sharing among intelligence agencies and federal departments. Set up a five-member Privacy and Civil Liberties Oversight Board to protect privacy and civil liberties.

Internet Spy Act: 2011

ISPs must retain data on customer use for twelve months.

Cyber Intelligence Sharing and Protection Act 2012

Cyber threat information can be shared between the U.S. government departments and security companies.

EUROPE:

Article 8 of the European Convention on Human Rights

Most European countries adhere to the above which declares:

Everyone has the right to respect for his private and family life, his home and his correspondence. Exceptions apply: for reasons of: national security, public safety, crime, disorder, public health, morals, threatened rights and freedoms of others.

Individual countries retain their own legislation, however: France has a law recognizing the right to privacy, but the UK does not.

Freedom of Information Acts

Guaranteed access to data held by the state. Passed by most countries, but data can be held back for state security reasons or simply delayed by 'staff shortages'.

Does Privacy Matter?

For many of today's Internet citizens, privacy does not matter. They take the view of a 2008 NYT article {30} that privacy is dead, which is a 'good thing' because everyone can now spy on everyone else and stop 'bad guys'. People (especially people in 'terrorist' countries) need to get accustomed to having their activities recorded and judged by concerned fellow citizens. {31}

Authorities indeed often argue for increased surveillance by saying 'if you've done nothing wrong, then you've got nothing to worry about.'

On practical grounds (i.e. leaving aside a country's Constitution, {63} the ethical issues and experience of life in a police state), the counter-arguments are:

1. Without some privacy, individuals and companies cannot maintain competitive advantage, which negates the capitalist system. {47} {66} {70}
2. Subsequent anonymity is needed by whistle blowers and crime witnesses if they are not to face uncertain futures, and be less willing to testify. {41} {42}
3. Democracy is endangered if citizens cannot privately discuss matters of common concern. {51} {52} {53} Surveillance can pass into harassment, and then into the suppression of inconvenient views or evidence.
In particular:
a. Once collected, {48} {49} {50} {51} {52} {53} {54} information is not easily removed. No security system is entirely safe, and information becomes accessible to private interest groups, foreign powers or rogue elements of government. {44}
b. Diverse opinions, some unwelcome to the state {36 {37} {38}, are a feature of free societies, and free societies are generally the more prosperous. {56}{62}
c. The 'nothing to fear' argument operates largely in one direction, and governments often seem more concerned to 'shoot the messenger' than correct the injustices exposed. {43} {65} The extent of illegal spying by western governments on their own citizens is now being disclosed, with the whistleblower being denounced as a 'traitor' by mainstream media channels ostensibly charged with 'speaking truth to power'. {69} Moreover, even as illegal surveillance is being extended, more documents (tens of millions yearly) are being witheld from citizens whom governments claim to answer to. {76}
d. Security matters are indeed not properly balanced by accountability to citizens — who are supposedly served by government officials, pay their salaries {38} and are seen abroad as supporting their policies. {55} {38} That governments do routinely misbehave and cover up while prosecuting citizens for lessor crimes {32} {33} {34} {35} {36} {37} argues double standards, {68} and fuels attitudes that range from distrust to conspiracy theories. {45} {46} {58-61} Citizens become disaffected with government, which is then deprived of the trust, support and cooperation it needs to function effectively.
e. US data collection passes into commercial and industrial espionage, {74} which is damaging the reputation and prospects of all US IT companies. {69} {73}
f. Data can and is used to blackmail individuals at all levels of government, military and corporate life. {72}
g. NSA activities go beyond surveillance: bank accounts, commercially sensitive information, computers, networks and software can be taken over and altered by the intelligence services without judicial oversight, or indeed legal disclosure for one year. {75}

Online Privacy Protection

Beyond not providing more information than specifically required, privacy is improved by:

1. Appointing a chief privacy officer to stay abreast of legislation and ensure the company meets requirements.
2. Surfing anonymously through systems like anonymizer, etc.
3. Encrypting all sensitive material with disk encryption software.
4. Blocking and removing spyware with superantispyware, etc.
5. Securing emails with hushmail, PGP, etc.
6. Erasing data on discarded hard disks with programs like secure erase, etc.
7. Removing cookies with browser controls and/or with programs like ccleaner, etc.
8. Blocking pop-ups with browser controls or software.
9. Using software provided by companies not implicated in government surveillance, if such exist. {67}
10. Moving to open-source, self-modified software.
11. Avoiding cloud storage of sensitive information, particularly when servers are located in Britain or America.
12. Keep up to date with the more investigative and independent journalism on NSA and GCHQ. {75}

Questions

1. What are the main threats to personal privacy on the Internet, and how serious are they?
2. Outline the legislation relating to online privacy in the USA.
3. How does Europe generally treat online privacy?
4. Suggest practical measures to improve online privacy.
5. Do you think online privacy is an an important matter? Give the arguments for and against.

Sources and Further Reading

Need the references and resources for further study? Consider our affordable (US $ 4.95)  pdf ebook. It includes extensive (3,000) references, plus text, tables and illustrations you can copy, and is formatted to provide comfortable sequential reading on screens as small as 7 inches.

   Get your eBook here.